[Jool-list] Hairpinning problem

Alberto Leiva ydahhrk at gmail.com
Mon Apr 3 09:56:20 CDT 2017 

Sorry, I messed up. This is wrong:

    Translation prefix: 2001:db8::/64

It should read like this:

    Translation prefix: 2001:db8::/96

On Mon, Apr 3, 2017 at 9:47 AM, Alberto Leiva <ydahhrk at gmail.com> wrote:

> Well, I can't tell for sure since I can't see your prefixes, but from this:
>
>     [  725.945125] NAT64 Jool: Catching IPv6 packet:
> 64:ff9b::a21:1->64:ff9b::ac10:184
>
> I can guess that maybe you jumped from the traditional SIIT tutorial
> straight to the NAT64 tutorial and didn't bother to change the addresses.
>
> Your IPv6 nodes' network does not need to start with the translation
> prefix. That's a traditional SIIT-only thing. The point of Stateful NAT64
> is that any IPv6 node can access the IPv4 side; not just a selected few
> where you have control over their addresses.
>
> In traditional SIIT, you have three prefixes. One is the translation
> prefix, and the other ones are the network prefixes. The network prefixes
> are always subnetworks of the translation prefix. For example,
>
>     Translation prefix: 2001:db8::/64
>     IPv6 network prefix: 2001:db8::0102:0300/120
>     IPv4 network prefix (IPv6 implicit): 1.2.4.0/24
> (2001:db8::0102:0400/120)
>
> So you send a packet from 2001:db8::0102:0301 to 2001:db8::0102:0401. This
> makes sense because these two addresses belong to different networks, and
> the translator simply needs to remove the translation prefix.
>
> On the other hand, in Stateful NAT64, when you do this,
>
>     modprobe jool pool6=64:ff9b::/96
>
> you have to think that you're essentially renaming the whole IPv4 Internet
> as 64:ff9b::/96. This being the case, Jool thinks that 64:ff9b::a21:1 is
> sending a packet to a node from its own network, and it somehow ended in
> the translator's hands. Which is technically legal in some situations
> (namely "hairpinning"), but this isn't one of them. As it is, Jool thinks
> that the IPv6 node is trying to attack it: https://tools.ietf.org/html/
> rfc6146#section-5.4
>
> I think that this should head you in the right direction. I can explain
> hairpinning and hairpinning loops if you want, but I don't think that
> you'll be needing it in the near future.
>
> Alberto
>
>
> On Mon, Apr 3, 2017 at 6:36 AM, Eduardo Montoya <emontoya at kirale.com>
> wrote:
>
>> Hi, is anyone able to explain me why this response packet is being
>> dropped?
>>
>> [  725.939726] NAT64 Jool: ==============================
>> =================
>> [  725.939746] NAT64 Jool: Catching IPv4 packet:
>> 172.16.1.132->172.16.1.141
>> [  725.939757] NAT64 Jool: Step 1: Determining the Incoming Tuple
>> [  725.939771] NAT64 Jool: Tuple: 172.16.1.132#43563 ->
>> 172.16.1.141#20000 (UDP)
>> [  725.939780] NAT64 Jool: Done step 1.
>> [  725.939788] NAT64 Jool: Step 2: Filtering and Updating
>> [  725.939816] NAT64 Jool: BIB entry: 64:ff9b::a21:1#49191 -
>> 172.16.1.141#20000 (UDP)
>> [  725.939835] NAT64 Jool: Session entry: 64:ff9b::a21:1#49191 -
>> 64:ff9b::ac10:184#43563 | 172.16.1.141#20000 - 172.16.1.132#43563 (UDP)
>> [  725.939845] NAT64 Jool: Done: Step 2.
>> [  725.939854] NAT64 Jool: Step 3: Computing the Outgoing Tuple
>> [  725.939869] NAT64 Jool: Tuple: 64:ff9b::ac10:184#43563 ->
>> 64:ff9b::a21:1#49191 (UDP)
>> [  725.939877] NAT64 Jool: Done step 3.
>> [  725.939886] NAT64 Jool: Step 4: Translating the Packet
>> [  725.939907] NAT64 Jool: Done step 4.
>> [  725.939932] NAT64 Jool: Packet routed via device 'usb1'.
>> [  725.939941] NAT64 Jool: Sending skb.
>> [  725.940026] NAT64 Jool: Success.
>> [  725.945090] NAT64 Jool: ==============================
>> =================
>> [  725.945125] NAT64 Jool: Catching IPv6 packet:
>> 64:ff9b::a21:1->64:ff9b::ac10:184
>> [  725.945142] NAT64 Jool: Step 1: Determining the Incoming Tuple
>> [  725.945163] NAT64 Jool: Tuple: 64:ff9b::a21:1#49191 ->
>> 64:ff9b::ac10:184#43563 (UDP)
>> [  725.945174] NAT64 Jool: Done step 1.
>> [  725.945185] NAT64 Jool: Step 2: Filtering and Updating
>> [  725.945198] NAT64 Jool: Hairpinning loop. Dropping...
>> [  726.139093] NAT64 Jool: ==============================
>> =================
>>
>> Thanks.
>>
>> --
>>          *Eduardo Montoya*
>> --------------------------------------------
>> Embedded Firmware Engineer
>> Kirale Technologies S.L.
>> Logroño, SPAIN
>>
>> www.kirale.com
>>
>>
>> _______________________________________________
>> Jool-list mailing list
>> Jool-list at nic.mx
>> https://mail-lists.nic.mx/listas/listinfo/jool-list
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail-lists.nic.mx/pipermail/jool-list/attachments/20170403/c6026e19/attachment-0001.html>

More information about the Jool-list mailing list