[Jool-list] Hairpinning problem

Alberto Leiva ydahhrk at gmail.com
Mon Apr 3 09:47:46 CDT 2017


Well, I can't tell for sure since I can't see your prefixes, but from this:

    [  725.945125] NAT64 Jool: Catching IPv6 packet:
64:ff9b::a21:1->64:ff9b::ac10:184

I can guess that maybe you jumped from the traditional SIIT tutorial
straight to the NAT64 tutorial and didn't bother to change the addresses.

Your IPv6 nodes' network does not need to start with the translation
prefix. That's a traditional SIIT-only thing. The point of Stateful NAT64
is that any IPv6 node can access the IPv4 side; not just a selected few
where you have control over their addresses.

In traditional SIIT, you have three prefixes. One is the translation
prefix, and the other ones are the network prefixes. The network prefixes
are always subnetworks of the translation prefix. For example,

    Translation prefix: 2001:db8::/64
    IPv6 network prefix: 2001:db8::0102:0300/120
    IPv4 network prefix (IPv6 implicit): 1.2.4.0/24
(2001:db8::0102:0400/120)

So you send a packet from 2001:db8::0102:0301 to 2001:db8::0102:0401. This
makes sense because these two addresses belong to different networks, and
the translator simply needs to remove the translation prefix.

On the other hand, in Stateful NAT64, when you do this,

    modprobe jool pool6=64:ff9b::/96

you have to think that you're essentially renaming the whole IPv4 Internet
as 64:ff9b::/96. This being the case, Jool thinks that 64:ff9b::a21:1 is
sending a packet to a node from its own network, and it somehow ended in
the translator's hands. Which is technically legal in some situations
(namely "hairpinning"), but this isn't one of them. As it is, Jool thinks
that the IPv6 node is trying to attack it:
https://tools.ietf.org/html/rfc6146#section-5.4

I think that this should head you in the right direction. I can explain
hairpinning and hairpinning loops if you want, but I don't think that
you'll be needing it in the near future.

Alberto


On Mon, Apr 3, 2017 at 6:36 AM, Eduardo Montoya <emontoya at kirale.com> wrote:

> Hi, is anyone able to explain me why this response packet is being dropped?
>
> [  725.939726] NAT64 Jool: ===============================================
> [  725.939746] NAT64 Jool: Catching IPv4 packet: 172.16.1.132->172.16.1.141
> [  725.939757] NAT64 Jool: Step 1: Determining the Incoming Tuple
> [  725.939771] NAT64 Jool: Tuple: 172.16.1.132#43563 -> 172.16.1.141#20000
> (UDP)
> [  725.939780] NAT64 Jool: Done step 1.
> [  725.939788] NAT64 Jool: Step 2: Filtering and Updating
> [  725.939816] NAT64 Jool: BIB entry: 64:ff9b::a21:1#49191 -
> 172.16.1.141#20000 (UDP)
> [  725.939835] NAT64 Jool: Session entry: 64:ff9b::a21:1#49191 -
> 64:ff9b::ac10:184#43563 | 172.16.1.141#20000 - 172.16.1.132#43563 (UDP)
> [  725.939845] NAT64 Jool: Done: Step 2.
> [  725.939854] NAT64 Jool: Step 3: Computing the Outgoing Tuple
> [  725.939869] NAT64 Jool: Tuple: 64:ff9b::ac10:184#43563 ->
> 64:ff9b::a21:1#49191 (UDP)
> [  725.939877] NAT64 Jool: Done step 3.
> [  725.939886] NAT64 Jool: Step 4: Translating the Packet
> [  725.939907] NAT64 Jool: Done step 4.
> [  725.939932] NAT64 Jool: Packet routed via device 'usb1'.
> [  725.939941] NAT64 Jool: Sending skb.
> [  725.940026] NAT64 Jool: Success.
> [  725.945090] NAT64 Jool: ===============================================
> [  725.945125] NAT64 Jool: Catching IPv6 packet:
> 64:ff9b::a21:1->64:ff9b::ac10:184
> [  725.945142] NAT64 Jool: Step 1: Determining the Incoming Tuple
> [  725.945163] NAT64 Jool: Tuple: 64:ff9b::a21:1#49191 ->
> 64:ff9b::ac10:184#43563 (UDP)
> [  725.945174] NAT64 Jool: Done step 1.
> [  725.945185] NAT64 Jool: Step 2: Filtering and Updating
> [  725.945198] NAT64 Jool: Hairpinning loop. Dropping...
> [  726.139093] NAT64 Jool: ===============================================
>
> Thanks.
>
> --
>          *Eduardo Montoya*
> --------------------------------------------
> Embedded Firmware Engineer
> Kirale Technologies S.L.
> Logroño, SPAIN
>
> www.kirale.com
>
>
> _______________________________________________
> Jool-list mailing list
> Jool-list at nic.mx
> https://mail-lists.nic.mx/listas/listinfo/jool-list
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail-lists.nic.mx/pipermail/jool-list/attachments/20170403/908c387e/attachment.html>


More information about the Jool-list mailing list