[Jool-list] Hairpinning problem

Eduardo Montoya emontoya at kirale.com
Tue Apr 4 02:44:17 CDT 2017 

Thanks Alberto. My problem was that the IPv6 prefix was the same as the
pool6. Solved now.

2017-04-03 16:56 GMT+02:00 Alberto Leiva <ydahhrk at gmail.com>:

> Sorry, I messed up. This is wrong:
>
>     Translation prefix: 2001:db8::/64
>
> It should read like this:
>
>     Translation prefix: 2001:db8::/96
>
> On Mon, Apr 3, 2017 at 9:47 AM, Alberto Leiva <ydahhrk at gmail.com> wrote:
>
>> Well, I can't tell for sure since I can't see your prefixes, but from
>> this:
>>
>>     [  725.945125] NAT64 Jool: Catching IPv6 packet:
>> 64:ff9b::a21:1->64:ff9b::ac10:184
>>
>> I can guess that maybe you jumped from the traditional SIIT tutorial
>> straight to the NAT64 tutorial and didn't bother to change the addresses.
>>
>> Your IPv6 nodes' network does not need to start with the translation
>> prefix. That's a traditional SIIT-only thing. The point of Stateful NAT64
>> is that any IPv6 node can access the IPv4 side; not just a selected few
>> where you have control over their addresses.
>>
>> In traditional SIIT, you have three prefixes. One is the translation
>> prefix, and the other ones are the network prefixes. The network prefixes
>> are always subnetworks of the translation prefix. For example,
>>
>>     Translation prefix: 2001:db8::/64
>>     IPv6 network prefix: 2001:db8::0102:0300/120
>>     IPv4 network prefix (IPv6 implicit): 1.2.4.0/24
>> (2001:db8::0102:0400/120)
>>
>> So you send a packet from 2001:db8::0102:0301 to 2001:db8::0102:0401.
>> This makes sense because these two addresses belong to different networks,
>> and the translator simply needs to remove the translation prefix.
>>
>> On the other hand, in Stateful NAT64, when you do this,
>>
>>     modprobe jool pool6=64:ff9b::/96
>>
>> you have to think that you're essentially renaming the whole IPv4
>> Internet as 64:ff9b::/96. This being the case, Jool thinks that
>> 64:ff9b::a21:1 is sending a packet to a node from its own network, and it
>> somehow ended in the translator's hands. Which is technically legal in some
>> situations (namely "hairpinning"), but this isn't one of them. As it is,
>> Jool thinks that the IPv6 node is trying to attack it:
>> https://tools.ietf.org/html/rfc6146#section-5.4
>>
>> I think that this should head you in the right direction. I can explain
>> hairpinning and hairpinning loops if you want, but I don't think that
>> you'll be needing it in the near future.
>>
>> Alberto
>>
>>
>> On Mon, Apr 3, 2017 at 6:36 AM, Eduardo Montoya <emontoya at kirale.com>
>> wrote:
>>
>>> Hi, is anyone able to explain me why this response packet is being
>>> dropped?
>>>
>>> [  725.939726] NAT64 Jool: ==============================
>>> =================
>>> [  725.939746] NAT64 Jool: Catching IPv4 packet:
>>> 172.16.1.132->172.16.1.141
>>> [  725.939757] NAT64 Jool: Step 1: Determining the Incoming Tuple
>>> [  725.939771] NAT64 Jool: Tuple: 172.16.1.132#43563 ->
>>> 172.16.1.141#20000 (UDP)
>>> [  725.939780] NAT64 Jool: Done step 1.
>>> [  725.939788] NAT64 Jool: Step 2: Filtering and Updating
>>> [  725.939816] NAT64 Jool: BIB entry: 64:ff9b::a21:1#49191 -
>>> 172.16.1.141#20000 (UDP)
>>> [  725.939835] NAT64 Jool: Session entry: 64:ff9b::a21:1#49191 -
>>> 64:ff9b::ac10:184#43563 | 172.16.1.141#20000 - 172.16.1.132#43563 (UDP)
>>> [  725.939845] NAT64 Jool: Done: Step 2.
>>> [  725.939854] NAT64 Jool: Step 3: Computing the Outgoing Tuple
>>> [  725.939869] NAT64 Jool: Tuple: 64:ff9b::ac10:184#43563 ->
>>> 64:ff9b::a21:1#49191 (UDP)
>>> [  725.939877] NAT64 Jool: Done step 3.
>>> [  725.939886] NAT64 Jool: Step 4: Translating the Packet
>>> [  725.939907] NAT64 Jool: Done step 4.
>>> [  725.939932] NAT64 Jool: Packet routed via device 'usb1'.
>>> [  725.939941] NAT64 Jool: Sending skb.
>>> [  725.940026] NAT64 Jool: Success.
>>> [  725.945090] NAT64 Jool: ==============================
>>> =================
>>> [  725.945125] NAT64 Jool: Catching IPv6 packet:
>>> 64:ff9b::a21:1->64:ff9b::ac10:184
>>> [  725.945142] NAT64 Jool: Step 1: Determining the Incoming Tuple
>>> [  725.945163] NAT64 Jool: Tuple: 64:ff9b::a21:1#49191 ->
>>> 64:ff9b::ac10:184#43563 (UDP)
>>> [  725.945174] NAT64 Jool: Done step 1.
>>> [  725.945185] NAT64 Jool: Step 2: Filtering and Updating
>>> [  725.945198] NAT64 Jool: Hairpinning loop. Dropping...
>>> [  726.139093] NAT64 Jool: ==============================
>>> =================
>>>
>>> Thanks.
>>>
>>> --
>>>          *Eduardo Montoya*
>>> --------------------------------------------
>>> Embedded Firmware Engineer
>>> Kirale Technologies S.L.
>>> Logroño, SPAIN
>>>
>>> www.kirale.com
>>>
>>>
>>> _______________________________________________
>>> Jool-list mailing list
>>> Jool-list at nic.mx
>>> https://mail-lists.nic.mx/listas/listinfo/jool-list
>>>
>>>
>>
>


-- 
         *Eduardo Montoya*
--------------------------------------------
Embedded Firmware Engineer
Kirale Technologies S.L.
Logroño, SPAIN

www.kirale.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail-lists.nic.mx/pipermail/jool-list/attachments/20170404/60deda8e/attachment.html>

More information about the Jool-list mailing list