Message ID | 1389442059-3047-1-git-send-email-fx.lebail@yahoo.com |
---|---|
State | Rejected, archived |
Delegated to: | David Miller |
Headers | show |
Hello! I am just curious: since when is TCP allowed to use anycast addresses? Alexey Kuznetsov -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, 1/11/14, Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> wrote: > Hello! > I am just curious: since when is TCP allowed to use anycast addresses? As said in http://tools.ietf.org/html/draft-iab-anycast-arch-implications-12.html#section-2.1 (this informational draft is in RCF queue) " No firm conclusion was reached regarding use of TCP with anycasted services, but it was observed that anycasting was useful for DNS, although it did introduce some new complexities." For this works, there is need for appropriate routing (BGP, ...). Many DNS root-servers use TCP with anycast (IPv4 and IPV6). see : http://tools.ietf.org/html/draft-jabley-dnsop-anycast-mapping-04#section-4 " L-Root service is provided using a single IPv4 address (199.7.83.42) and a single IPv6 address (2001:500:3::42). It should be noted that it is preferable to refer to the service using its DNS name (L.ROOT- SERVERS.NET) rather than literal addresses, since addresses can change from time to time." François-Xavier Le Bail -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hello! On Sat, Jan 11, 2014 at 5:06 PM, François-Xavier Le Bail <fx.lebail@yahoo.com> wrote: > Many DNS root-servers use TCP with anycast (IPv4 and IPV6). > > see : http://tools.ietf.org/html/draft-jabley-dnsop-anycast-mapping-04#section-4 > > " L-Root service is provided using a single IPv4 address (199.7.83.42) > and a single IPv6 address (2001:500:3::42). It should be noted that > it is preferable to refer to the service using its DNS name (L.ROOT- > SERVERS.NET) rather than literal addresses, since addresses can > change from time to time." Is this all? It looks like this implies routing by deep packet inspection, fetching some creepy node identification options from inside DNS payload (not written directly, but implied). This smells funky. Actually, I was alerted by reset processing in your patch, it cannot be right. Do not you think this must not be enabled for common use? At least some separate sysctl disabled by default. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 11/01/14 - 05:06:10, François-Xavier Le Bail wrote: > On Sat, 1/11/14, Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> wrote: > As said in http://tools.ietf.org/html/draft-iab-anycast-arch-implications-12.html#section-2.1 > (this informational draft is in RCF queue) This draft does not say that TCP should be used with anycast addresses. Rather the opposite: " This document does not treat in any depth the fact that there are deployed services with TCP transport using anycast today. Evidence exists to suggest that such practice is not "safe" in the traditional and architectural sense (as described in Section 4.2). " And Section 4.2 gives more information. http://tools.ietf.org/html/draft-iab-anycast-arch-implications-12.html#section-4.2 Christoph > > " No firm conclusion was reached regarding > use of TCP with anycasted services, but it was observed that > anycasting was useful for DNS, although it did introduce some new > complexities." > > For this works, there is need for appropriate routing (BGP, ...). > > Many DNS root-servers use TCP with anycast (IPv4 and IPV6). > > see : http://tools.ietf.org/html/draft-jabley-dnsop-anycast-mapping-04#section-4 > > " L-Root service is provided using a single IPv4 address (199.7.83.42) > and a single IPv6 address (2001:500:3::42). It should be noted that > it is preferable to refer to the service using its DNS name (L.ROOT- > SERVERS.NET) rather than literal addresses, since addresses can > change from time to time." > > François-Xavier Le Bail > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, 1/11/14, Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> wrote: Hello, > Actually, I was alerted by reset processing in your patch, it cannot be right. Did I miss something, please explain why there is an error. > Do not you think this must not be enabled for common use? At least > some separate sysctl disabled by default. Why not ? But if a patch can enable anycast case without break "normal" usage, I think we can enable this by default. Those who don't need anycast will not use it. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi! On Sat, Jan 11, 2014 at 05:38:27PM +0400, Alexey Kuznetsov wrote: > On Sat, Jan 11, 2014 at 5:06 PM, François-Xavier Le Bail > <fx.lebail@yahoo.com> wrote: > > Many DNS root-servers use TCP with anycast (IPv4 and IPV6). > > > > see : http://tools.ietf.org/html/draft-jabley-dnsop-anycast-mapping-04#section-4 > > > > " L-Root service is provided using a single IPv4 address (199.7.83.42) > > and a single IPv6 address (2001:500:3::42). It should be noted that > > it is preferable to refer to the service using its DNS name (L.ROOT- > > SERVERS.NET) rather than literal addresses, since addresses can > > change from time to time." > > Is this all? It looks like this implies routing by deep packet inspection, > fetching some creepy node identification options from inside DNS payload > (not written directly, but implied). This smells funky. > > Actually, I was alerted by reset processing in your patch, it cannot be right. > > Do not you think this must not be enabled for common use? At least > some separate sysctl disabled by default. RFC 4291 - IP Version 6 Addressing Architecture started to allow the use of anycast addresses as source addresses. This would be great to have DNS servers listening on them but they need to respond to both, UDP and TCP. The idea I had, was, that if a socket does knowingly bind to an anycast address, it is allowed to do so and process queries on it with both TCP and UDP. I don't think we need a sysctl for that? Anycast addresses are either pre-defined (e.g. the subnet router anycast address) or specified by a flag when the administrator adds one. Currently one can only add anycast addresses either by forwarding and gets the per-subnet anycast address or with a setsockopt IPV6_JOIN_ANYCAST. So the problem is what should be allowed when the socket listens on an any address? Maybe this should be protected by a sysctl? Greetings, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index ffd5fa8..85297b8 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -832,7 +832,8 @@ static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb) if (th->rst) return; - if (!ipv6_unicast_destination(skb)) + if (!ipv6_unicast_destination(skb) && + !ipv6_anycast_destination(skb)) return; #ifdef CONFIG_TCP_MD5SIG @@ -963,7 +964,8 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb) if (skb->protocol == htons(ETH_P_IP)) return tcp_v4_conn_request(sk, skb); - if (!ipv6_unicast_destination(skb)) + if (!ipv6_unicast_destination(skb) && + !ipv6_anycast_destination(skb)) goto drop; if ((sysctl_tcp_syncookies == 2 ||
- Use ipv6_anycast_destination() in tcp_v6_send_reset() and tcp_v6_conn_request(). Signed-off-by: Francois-Xavier Le Bail <fx.lebail@yahoo.com> --- Tested with link-local and global anycast addresses. Tested with SOCK_STREAM socket, bind and TCP traffic OK. net/ipv6/tcp_ipv6.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html