[Jool-list] returned IPv6 packets

Michael Richardson mcr at sandelman.ca
Mon Aug 3 12:46:49 CDT 2015 

I have a scenario where I'm trying to use Jool along with an IP6-in-IPv4
(ESP/IPsec) tunnel.

The setup looks like:

    +---------+            +-----------------------+
    | JJ (164)|===tunnel===|Parker(165) Jool(166)  >---IPv4---
    +---------+            +-----------------------+

My IP addresses are ULA:  fd68:c9f9:4157::/48, with fd68:c9f9:4157:2:0:1::/96
being the prefix given towards Jool.  (I have an /etc/network/interfaces
script that creates a macvlan interface, and runs dhcp on it to get another
IPv4 address for Jool, since it can't share yet).

The purpose of the setup is that the "parker" nodes are located in different
parts of the Internet, and the JJ node can send packets to the IPv4 Internet
From a central place, to get a view of the Internet from that location.
(There are many other architectures that one could envision to do such
proxying, but there are some legal advantages to this architecture which
aren't relevant to the technology)

Presently the two machines are VMs colocated on the same (NAT44, IPv6-native)
LAN.

Tcpdump on "parker":

1. 13:34:12.229238 IP 10.10.4.164 > 10.10.4.165: ESP(spi=0xb09a1f94,seq=0x6b), length 148
2. 13:34:12.229238 IP6 , wrong link-layer encapsulationbad-hlen 0
3. 13:34:12.229317 IP 10.10.4.166 > 8.8.8.8: ICMP echo request, id 59134, seq 107, length 64
4. 13:34:12.238962 IP 8.8.8.8 > 10.10.4.166: ICMP echo reply, id 59134, seq 107, length 64
5. 13:34:12.239000 IP6 fd68:c9f9:4157:2:0:1:808:808 > fd68:c9f9:4157::a0a:4a4: frag (0|64) ICMP6, echo reply, seq 107, length 64

Packet #2 is odd, and something I'm investigating on the tcpdump side of
things; it's the the IP6 packet coming out of the tunnel.

I am running:
  JJ# ping6 -I fd68:c9f9:4157::a0a:4a4 fd68:c9f9:4157:2:0:1:8.8.8.8

and as you can see, Jool is doing the right thing, sending out the v4 packet
(step 3), receiving the replace (step 4), and forming an IPv6 packet... only,
it's fragmented!
I can't see why it would be fragmented, given that it's 64-bytes.
Bug?

This is jool 3.2.2, which I realize is a few months old, and I'll upgrade.

Bug number two might well be that for some reason the xfrm IPsec stack is
unable to match this fragment and put it in the tunnel.
I will have to do some experiments to confirm/deny this part too.

Is there a way to dump "everything" in jool that relates to the state of it?
Maybe this is really everything?

parker-[~] mcr 10238 %sudo jool -4
10.10.4.166
  (Fetched 1 addresses.)
parker-[~] mcr 10239 %sudo jool -6
64:ff9b::/96
fd68:c9f9:4157:2:0:1::/96
  (Fetched 2 prefixes.)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
URL: <http://mail-lists.nic.mx/pipermail/jool-list/attachments/20150803/0c34c62a/attachment.bin>

More information about the Jool-list mailing list