Reorder controller startup
This commit is contained in:
Nico Schottelius
parent
7c3bcceb29
commit
0540b43f7f
2 changed files with 182 additions and 182 deletions
358
doc/plan.org
358
doc/plan.org
|
|
@ -138,6 +138,8 @@
|
|||
| | Again checksum errors in NDP answer | |
|
||||
| | Added debug code to send table ID towards controller | |
|
||||
| | | |
|
||||
| 2019-03-26 | | |
|
||||
| | Find out where packet is stuck | |
|
||||
| | | |
|
||||
| 2019-03-28 | Meet Laurent #4 | |
|
||||
| | - Router solicitation for finding router on startup! | |
|
||||
|
|
@ -174,16 +176,6 @@
|
|||
| 2019-08-01 | Latest start writing documentation | |
|
||||
| 2019-08-21 | hand in thesis | |
|
||||
* Topics / Tasks
|
||||
** Admin
|
||||
*** DONE Clarify PDF / form with Denise Spicher: free form description
|
||||
*** TODO Create task description to be handed in mystudies
|
||||
*** DONE Create list of tasks / initial brainstorming
|
||||
*** TODO Get OK from Ueli Maurer that thesis is valid in Information Security Area
|
||||
*** TODO Find out how-when-whom-where to meet / define schedule
|
||||
*** TODO Latex and/or org-mode for the thesis?
|
||||
*** TODO Add initial milestones
|
||||
**** 180d plan
|
||||
**** 25w
|
||||
** Thesis implementation
|
||||
*** DONE Setup test VM for P4: 2a0a:e5c0:2:12:400:f0ff:fea9:c3e3
|
||||
*** DONE Get feature list of jool
|
||||
|
|
@ -191,7 +183,121 @@
|
|||
*** DONE Setup P4 base / structure
|
||||
*** DONE Create minimal controller for populating tables
|
||||
*** DONE Checkout / review egress settings
|
||||
*** DONE Create Basis to translate ipv6 --> ipv4 with a (freely programmable) prefix; test ping6_switch
|
||||
**** DONE Insert prefix into switch: v6_networks
|
||||
**** DONE Support multiple ipv6 source networks: need new table w/ 2 keys! -> not at the moment
|
||||
**** DONE Write test.py to generate correct destination packets
|
||||
>>> a = ipaddress.ip_network("2001:db8::/32")
|
||||
>>> b = ipaddress.ip_address("10.0.0.1")
|
||||
>>> a[int(b)]
|
||||
IPv6Address('2001:db8::a00:1')
|
||||
**** DONE Using test.py, new NDP packets been seen, bur zero icmp on the outgoing side
|
||||
p4@ubuntu:~/master-thesis/p4app$ python test.py --method v6_static_mapping --debug
|
||||
INFO:main:Trying to reach 10.0.0.1 (64:ff9b::a00:1) from h1
|
||||
sudo: unable to resolve host ubuntu
|
||||
PING 64:ff9b::a00:1(64:ff9b::a00:1) 56 data bytes
|
||||
|
||||
--- 64:ff9b::a00:1 ping statistics ---
|
||||
1 packets transmitted, 0 received, 100% packet loss, time 0ms
|
||||
|
||||
p4@ubuntu:~/master-thesis/p4app$
|
||||
\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x87\x00\x08+\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:cpu = <CpuHeader task=ICMP6_GENERAL ingress_port=1 type=0x86dd |<Raw load='`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x87\x00\x08+\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:reassambled=<Ether dst=00:00:0a:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=fe80::200:aff:fe00:1 dst=2001:db8::42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x82b res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
DEBUG:main:INCOMING: <Ether dst=00:00:0a:00:00:42 src=00:00:0a:00:00:01 type=0x4242 |<Raw load='\x00\x02\x00\x01\x86\xdd`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x87\x00\x08+\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:cpu = <CpuHeader task=ICMP6_GENERAL ingress_port=1 type=0x86dd |<Raw load='`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x87\x00\x08+\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:reassambled=<Ether dst=00:00:0a:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=fe80::200:aff:fe00:1 dst=2001:db8::42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x82b res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
DEBUG:main:INCOMING: <Ether dst=00:00:0a:00:00:42 src=00:00:0a:00:00:01 type=0x4242 |<Raw load='\x00\x02\x00\x01\x86\xdd`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x87\x00\x08+\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:cpu = <CpuHeader task=ICMP6_GENERAL ingress_port=1 type=0x86dd |<Raw load='`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x87\x00\x08+\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:reassambled=<Ether dst=00:00:0a:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=fe80::200:aff:fe00:1 dst=2001:db8::42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x82b res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
|
||||
**** DONE Debug why neighbor discover does not work anymore
|
||||
***** log
|
||||
p4@ubuntu:~$ mx h1 tcpdump -lni any
|
||||
sudo: unable to resolve host ubuntu
|
||||
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
|
||||
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
|
||||
|
||||
19:57:53.258805 IP6 fe80::200:aff:fe00:1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8::42, length 32
|
||||
19:57:54.256924 IP6 2001:db8::1 > 2001:db8::1: ICMP6, destination unreachable, unreachable address 64:ff9b::a00:1, length 112
|
||||
|
||||
EBUG:main:INCOMING: <Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x4242 |<Raw load='\x00\x01\x00\x01\x86\xdd`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xff\x00\x00B\x87\x007\xdf\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:cpu = <CpuHeader task=ICMP6_NS ingress_port=1 type=0x86dd |<Raw load='`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xff\x00\x00B\x87\x007\xdf\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:reassambled=<Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=fe80::200:aff:fe00:1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x37df res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
INFO:main:Doing neighbor solicitation
|
||||
DEBUG:main:OUTGOING: <Ether dst=00:00:0a:00:00:01 src=00:00:0a:00:00:42 type=0x86dd |<IPv6 nh=ICMPv6 hlim=255 src=2001:db8::42 dst=fe80::200:aff:fe00:1 |<ICMPv6ND_NA cksum=None R=0 S=1 tgt=2001:db8::42 |<ICMPv6NDOptDstLLAddr lladdr=00:00:0a:00:00:42 |>>>>
|
||||
DEBUG:main:INCOMING: <Ether dst=00:00:0a:00:00:01
|
||||
src=00:00:0a:00:00:42 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32
|
||||
nh=ICMPv6 hlim=255 src=2001:db8::42
|
||||
dst=fe80::200:aff:fe00:1 |<ICMPv6ND_NA type=Neighbor Advertisement
|
||||
code=0 cksum=0xa5e9 R=0 S=1 O=1 res=0x0
|
||||
tgt=2001:db8::42 |<ICMPv6NDOptDstLLAddr type=2 len=1
|
||||
lladdr=00:00:0a:00:00:42 |>>>>
|
||||
|
||||
|
||||
After removing noise:
|
||||
|
||||
DEBUG:main:reassambled=<Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=fe80::200:aff:fe00:1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x37df res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
DEBUG:main:reassambled=<Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=fe80::200:aff:fe00:1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x37df res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
DEBUG:main:reassambled=<Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=2001:db8::1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x13a7 res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
DEBUG:main:reassambled=<Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=2001:db8::1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x13a7 res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
DEBUG:main:reassambled=<Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=2001:db8::1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x13a7 res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
|
||||
***** Do we have routing for fe80::/10? Probably not. Shouldn't we see it in the controller then?
|
||||
***** NDP is controller only!
|
||||
**** DONE Finish NDP in switch
|
||||
***** DONE Need to set R/S/O bits
|
||||
***** DONE Need to parse R/S/O bits
|
||||
**** DONE Maybe merge v6_address and v6_networks - /128 is the same
|
||||
**** DONE Implement address learning? -> not at the moment
|
||||
**** DONE Not sure whether we should react on router solicitation -> not at the moment
|
||||
- Using static routes -> should do the job
|
||||
**** DONE Implement the calculation
|
||||
Currently offset + ip address
|
||||
**** DONE Sketch the flow for session handling for icmp6 w/o packet loss
|
||||
- switch receives icmp6 packet for known prefix
|
||||
- controller needs to create session entry (?)
|
||||
|
||||
Not sure what I meant to do here - closing.
|
||||
**** DONE Create table entry for mapping v4->v6 [net]
|
||||
**** DONE Create table entry for mapping v6->v4 [net]
|
||||
*** TODO Implement ICMP <-> ICMP6 translation
|
||||
**** 2019-02-28 / icmp testing / first NDP steps
|
||||
***** pinging in router mode: nothing shown in the controller, multicast forwarded -> "ok"
|
||||
|
||||
root@ubuntu:~/master-thesis/p4app# ping6 -c1 2001:db8:61::42
|
||||
PING 2001:db8:61::42(2001:db8:61::42) 56 data bytes
|
||||
From 2001:db8:61::1 icmp_seq=1 Destination unreachable: Address unreachable
|
||||
|
||||
--- 2001:db8:61::42 ping statistics ---
|
||||
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
|
||||
|
||||
root@ubuntu:~/master-thesis/p4app#
|
||||
|
||||
|
||||
sudo: unable to resolve host ubuntu
|
||||
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
|
||||
listening on h1-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
|
||||
09:47:07.191569 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32
|
||||
09:47:08.190331 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32
|
||||
09:47:09.190279 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32
|
||||
***** DONE special rule for ff02::1:ff00:42
|
||||
|
||||
Semi works, replies are there, but host still retries:
|
||||
|
||||
p4@ubuntu:~/master-thesis$ h=1; mx h$h tcpdump -lni h$h-eth0
|
||||
sudo: unable to resolve host ubuntu
|
||||
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
|
||||
listening on h1-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
|
||||
09:58:04.786979 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32
|
||||
09:58:04.793560 IP6 2001:db8:61::42 > 2001:db8:61::1: ICMP6, neighbor advertisement, tgt is 2001:db8:61::42, length 32
|
||||
09:58:05.786311 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32
|
||||
09:58:05.790506 IP6 2001:db8:61::42 > 2001:db8:61::1: ICMP6, neighbor advertisement, tgt is 2001:db8:61::42, length 32
|
||||
09:58:06.786254 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32
|
||||
09:58:06.792325 IP6 2001:db8:61::42 > 2001:db8:61::1: ICMP6, neighbor advertisement, tgt is 2001:db8:61::42, length 32
|
||||
|
||||
|
||||
Maybe checksums?
|
||||
**** DONE Parse icmp
|
||||
**** DONE Parse icmpv6
|
||||
**** DONE Add (static) egress configuration
|
||||
|
|
@ -317,88 +423,7 @@ sudo: unable to resolve host ubuntu
|
|||
fe80::/64 dev h1-eth0 proto kernel metric 256 pref medium
|
||||
default via 2001:db8::42 dev h1-eth0 metric 1024 pref medium
|
||||
p4@ubuntu:~/master-thesis$
|
||||
**** Implement IPv4 side handling
|
||||
***** TODO Make switch answer icmp echo request for
|
||||
***** TODO Add default route for v4 hosts
|
||||
**** DONE Basis to translate ipv6 --> ipv4 with a (freely programmable) prefix; test ping6_switch
|
||||
***** DONE Insert prefix into switch: v6_networks
|
||||
***** DONE Support multiple ipv6 source networks: need new table w/ 2 keys! -> not at the moment
|
||||
***** DONE Write test.py to generate correct destination packets
|
||||
>>> a = ipaddress.ip_network("2001:db8::/32")
|
||||
>>> b = ipaddress.ip_address("10.0.0.1")
|
||||
>>> a[int(b)]
|
||||
IPv6Address('2001:db8::a00:1')
|
||||
***** DONE Using test.py, new NDP packets been seen, bur zero icmp on the outgoing side
|
||||
p4@ubuntu:~/master-thesis/p4app$ python test.py --method v6_static_mapping --debug
|
||||
INFO:main:Trying to reach 10.0.0.1 (64:ff9b::a00:1) from h1
|
||||
sudo: unable to resolve host ubuntu
|
||||
PING 64:ff9b::a00:1(64:ff9b::a00:1) 56 data bytes
|
||||
|
||||
--- 64:ff9b::a00:1 ping statistics ---
|
||||
1 packets transmitted, 0 received, 100% packet loss, time 0ms
|
||||
|
||||
p4@ubuntu:~/master-thesis/p4app$
|
||||
\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x87\x00\x08+\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:cpu = <CpuHeader task=ICMP6_GENERAL ingress_port=1 type=0x86dd |<Raw load='`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x87\x00\x08+\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:reassambled=<Ether dst=00:00:0a:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=fe80::200:aff:fe00:1 dst=2001:db8::42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x82b res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
DEBUG:main:INCOMING: <Ether dst=00:00:0a:00:00:42 src=00:00:0a:00:00:01 type=0x4242 |<Raw load='\x00\x02\x00\x01\x86\xdd`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x87\x00\x08+\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:cpu = <CpuHeader task=ICMP6_GENERAL ingress_port=1 type=0x86dd |<Raw load='`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x87\x00\x08+\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:reassambled=<Ether dst=00:00:0a:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=fe80::200:aff:fe00:1 dst=2001:db8::42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x82b res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
DEBUG:main:INCOMING: <Ether dst=00:00:0a:00:00:42 src=00:00:0a:00:00:01 type=0x4242 |<Raw load='\x00\x02\x00\x01\x86\xdd`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x87\x00\x08+\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:cpu = <CpuHeader task=ICMP6_GENERAL ingress_port=1 type=0x86dd |<Raw load='`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x87\x00\x08+\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:reassambled=<Ether dst=00:00:0a:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=fe80::200:aff:fe00:1 dst=2001:db8::42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x82b res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
|
||||
***** DONE Debug why neighbor discover does not work anymore
|
||||
****** log
|
||||
p4@ubuntu:~$ mx h1 tcpdump -lni any
|
||||
sudo: unable to resolve host ubuntu
|
||||
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
|
||||
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
|
||||
|
||||
19:57:53.258805 IP6 fe80::200:aff:fe00:1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8::42, length 32
|
||||
19:57:54.256924 IP6 2001:db8::1 > 2001:db8::1: ICMP6, destination unreachable, unreachable address 64:ff9b::a00:1, length 112
|
||||
|
||||
EBUG:main:INCOMING: <Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x4242 |<Raw load='\x00\x01\x00\x01\x86\xdd`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xff\x00\x00B\x87\x007\xdf\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:cpu = <CpuHeader task=ICMP6_NS ingress_port=1 type=0x86dd |<Raw load='`\x00\x00\x00\x00 :\xff\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x00\n\xff\xfe\x00\x00\x01\xff\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xff\x00\x00B\x87\x007\xdf\x00\x00\x00\x00 \x01\r\xb8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B\x01\x01\x00\x00\n\x00\x00\x01' |>>
|
||||
DEBUG:main:reassambled=<Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=fe80::200:aff:fe00:1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x37df res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
INFO:main:Doing neighbor solicitation
|
||||
DEBUG:main:OUTGOING: <Ether dst=00:00:0a:00:00:01 src=00:00:0a:00:00:42 type=0x86dd |<IPv6 nh=ICMPv6 hlim=255 src=2001:db8::42 dst=fe80::200:aff:fe00:1 |<ICMPv6ND_NA cksum=None R=0 S=1 tgt=2001:db8::42 |<ICMPv6NDOptDstLLAddr lladdr=00:00:0a:00:00:42 |>>>>
|
||||
DEBUG:main:INCOMING: <Ether dst=00:00:0a:00:00:01
|
||||
src=00:00:0a:00:00:42 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32
|
||||
nh=ICMPv6 hlim=255 src=2001:db8::42
|
||||
dst=fe80::200:aff:fe00:1 |<ICMPv6ND_NA type=Neighbor Advertisement
|
||||
code=0 cksum=0xa5e9 R=0 S=1 O=1 res=0x0
|
||||
tgt=2001:db8::42 |<ICMPv6NDOptDstLLAddr type=2 len=1
|
||||
lladdr=00:00:0a:00:00:42 |>>>>
|
||||
|
||||
|
||||
After removing noise:
|
||||
|
||||
DEBUG:main:reassambled=<Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=fe80::200:aff:fe00:1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x37df res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
DEBUG:main:reassambled=<Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=fe80::200:aff:fe00:1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x37df res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
DEBUG:main:reassambled=<Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=2001:db8::1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x13a7 res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
DEBUG:main:reassambled=<Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=2001:db8::1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x13a7 res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
DEBUG:main:reassambled=<Ether dst=33:33:ff:00:00:42 src=00:00:0a:00:00:01 type=0x86dd |<IPv6 version=6 tc=0 fl=0 plen=32 nh=ICMPv6 hlim=255 src=2001:db8::1 dst=ff02::1:ff00:42 |<ICMPv6ND_NS type=Neighbor Solicitation code=0 cksum=0x13a7 res=0 tgt=2001:db8::42 |<ICMPv6NDOptSrcLLAddr type=1 len=1 lladdr=00:00:0a:00:00:01 |>>>>
|
||||
|
||||
****** Do we have routing for fe80::/10? Probably not. Shouldn't we see it in the controller then?
|
||||
****** NDP is controller only!
|
||||
***** DONE Finish NDP in switch
|
||||
****** DONE Need to set R/S/O bits
|
||||
****** DONE Need to parse R/S/O bits
|
||||
***** DONE Maybe merge v6_address and v6_networks - /128 is the same
|
||||
***** DONE Implement address learning? -> not at the moment
|
||||
***** DONE Not sure whether we should react on router solicitation -> not at the moment
|
||||
- Using static routes -> should do the job
|
||||
***** DONE Implement the calculation
|
||||
Currently offset + ip address
|
||||
***** DONE Sketch the flow for session handling for icmp6 w/o packet loss
|
||||
- switch receives icmp6 packet for known prefix
|
||||
- controller needs to create session entry (?)
|
||||
|
||||
Not sure what I meant to do here - closing.
|
||||
***** DONE Create table entry for mapping v4->v6 [net]
|
||||
***** DONE Create table entry for mapping v6->v4 [net]
|
||||
**** TODO Translate icmp <-> icmp6: test v6_static_mapping
|
||||
**** TODO ping6ing an emulated ipv6 host / Translate icmp <-> icmp6: test v6_static_mapping
|
||||
***** DONE try1: only packets on h1 + controller -> wrong checksum 2019-03-25
|
||||
+ filename=static_nat64-2019-03-25-1121-h1.pcap
|
||||
+ intf=h1-eth0
|
||||
|
|
@ -422,7 +447,7 @@ that the checksum code DOES NOT work on the task field!
|
|||
Problem: task field might be overriden for controller use in different
|
||||
table -> need different task field!
|
||||
|
||||
***** try2: checksum ok, but no packets on h3
|
||||
***** TODO try2: checksum ok, but no packets on h3
|
||||
****** DONE Setup a default rule for the IPv4 world to debug on controller
|
||||
Still not seeing the converted packet, however seeing icmp6_ns packets
|
||||
which should not be there:
|
||||
|
|
@ -441,7 +466,9 @@ DEBUG:main:v6 reassambled=<Ether dst=00:00:0a:00:00:42 src=00:00:0a:00:00:01 ty
|
|||
|
||||
debugging MIGHT come from nat64 table!
|
||||
|
||||
|
||||
**** DONE Add table name support in debug messages
|
||||
**** TODO Make switch answer IPv4 icmp echo request for
|
||||
**** TODO Add / check default route for v4 hosts
|
||||
*** TODO Get p4 VM / vagrant running
|
||||
**** DONE install libvirtd-daemon
|
||||
**** DONE install ebtables
|
||||
|
|
@ -1372,104 +1399,77 @@ used only in one network.
|
|||
**** Scapy / IPv6: https://www.idsv6.de/Downloads/IPv6PacketCreationWithScapy.pdf
|
||||
**** V1 model: https://github.com/p4lang/p4c/blob/master/p4include/v1model.p4
|
||||
**** Cisco NAT64 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf
|
||||
* Proposal / task description
|
||||
** Task description for mystudies
|
||||
*** High speed NAT64 with P4
|
||||
Currently there are two main open source NAT64 solution available:
|
||||
tayga and jool. The former is a single threaded, cpu bound user
|
||||
space solution, the latter a custom Linux kernel module.
|
||||
** DONE Admin
|
||||
*** DONE Clarify PDF / form with Denise Spicher: free form description
|
||||
*** DONE Create task description to be handed in mystudies
|
||||
*** DONE Create list of tasks / initial brainstorming
|
||||
*** DONE Get OK from Ueli Maurer that thesis is valid in Information Security Area
|
||||
*** DONE Find out how-when-whom-where to meet / define schedule
|
||||
*** DONE Latex and/or org-mode for the thesis? org for starting
|
||||
*** DONE Add initial milestones
|
||||
**** 180d plan
|
||||
**** 25w
|
||||
*** DONE Proposal / task description
|
||||
**** Task description for mystudies
|
||||
***** High speed NAT64 with P4
|
||||
Currently there are two main open source NAT64 solution available:
|
||||
tayga and jool. The former is a single threaded, cpu bound user
|
||||
space solution, the latter a custom Linux kernel module.
|
||||
|
||||
This thesis challenges this status quo by developing a P4 based
|
||||
solution supporting all features of jool/tayga and comparing the
|
||||
performance, security and adaptivity of the solutions.
|
||||
This thesis challenges this status quo by developing a P4 based
|
||||
solution supporting all features of jool/tayga and comparing the
|
||||
performance, security and adaptivity of the solutions.
|
||||
|
||||
- Milestone 1: Stateless NAT64/NAT46 translations in P4
|
||||
- Milestone 2: Stateful (dynamic) NAT64/NAT46 translations
|
||||
- Milestone 3: Hardware adaption
|
||||
** Original ideas
|
||||
Proposal 1: Automating NAT64 with P4
|
||||
- Milestone 1: Stateless NAT64/NAT46 translations in P4
|
||||
- Milestone 2: Stateful (dynamic) NAT64/NAT46 translations
|
||||
- Milestone 3: Hardware adaption
|
||||
**** Original ideas
|
||||
Proposal 1: Automating NAT64 with P4
|
||||
|
||||
In IPv6 only data centers IPv4 connectivity is still a business
|
||||
requirement. Current state of the art methods include layer 7 proxying
|
||||
or static assignments. both featuring static assignments.
|
||||
In IPv6 only data centers IPv4 connectivity is still a business
|
||||
requirement. Current state of the art methods include layer 7 proxying
|
||||
or static assignments. both featuring static assignments.
|
||||
|
||||
A flexible, dynamic assignment of IPv4 addresses to IPv6 hosts, similar
|
||||
to lease times in DHCPv4 and prefix delegations in DHCPv6 could reduce
|
||||
the pressure on IPv4 addresses.
|
||||
A flexible, dynamic assignment of IPv4 addresses to IPv6 hosts, similar
|
||||
to lease times in DHCPv4 and prefix delegations in DHCPv6 could reduce
|
||||
the pressure on IPv4 addresses.
|
||||
|
||||
I would suggest the develop of a new protocol (likely UDP embedded) that
|
||||
allows hosts to request on-network support for IPv4 addresses. As IPv4
|
||||
addresses have to be treated as "expensive", an accounting metric has to
|
||||
be introduced. While in the business world this is usually related to
|
||||
money, in the network world IPv4 users could be paying the network by
|
||||
(reduced) bandwidth.
|
||||
I would suggest the develop of a new protocol (likely UDP embedded) that
|
||||
allows hosts to request on-network support for IPv4 addresses. As IPv4
|
||||
addresses have to be treated as "expensive", an accounting metric has to
|
||||
be introduced. While in the business world this is usually related to
|
||||
money, in the network world IPv4 users could be paying the network by
|
||||
(reduced) bandwidth.
|
||||
|
||||
If such a metric existed, devices attached to the network could also try
|
||||
to negotiate and wait for using IPv4, when the price / penality for IPv4
|
||||
is low (this might be very suitable for mail exchangers for instance).
|
||||
If such a metric existed, devices attached to the network could also try
|
||||
to negotiate and wait for using IPv4, when the price / penality for IPv4
|
||||
is low (this might be very suitable for mail exchangers for instance).
|
||||
|
||||
|
||||
Proposal 2: High speed NAT64 with P4
|
||||
Proposal 2: High speed NAT64 with P4
|
||||
|
||||
Currently there are two main open source NAT64 solution available:
|
||||
tayga[0] and jool[1]. The former is a single threaded, cpu bound user
|
||||
space solution, the latter a custom Linux kernel module.
|
||||
Currently there are two main open source NAT64 solution available:
|
||||
tayga[0] and jool[1]. The former is a single threaded, cpu bound user
|
||||
space solution, the latter a custom Linux kernel module.
|
||||
|
||||
I would like to challenge this status quo and develop a P4 based
|
||||
solution supporting all features of jool/tayga and comparing the
|
||||
performance and adaptivity of the solutions.
|
||||
I would like to challenge this status quo and develop a P4 based
|
||||
solution supporting all features of jool/tayga and comparing the
|
||||
performance and adaptivity of the solutions.
|
||||
|
||||
[0] http://www.litech.org/tayga/
|
||||
[1] https://www.jool.mx/en/index.html
|
||||
[0] http://www.litech.org/tayga/
|
||||
[1] https://www.jool.mx/en/index.html
|
||||
|
||||
|
||||
Proposal 3: Challenging the status quo with IPv10
|
||||
Proposal 3: Challenging the status quo with IPv10
|
||||
|
||||
The de facto standard in networking is to treat IPv4
|
||||
and IPv6 as "impossible to combine". This proposal is
|
||||
to challenge this notion with three different methods:
|
||||
The de facto standard in networking is to treat IPv4
|
||||
and IPv6 as "impossible to combine". This proposal is
|
||||
to challenge this notion with three different methods:
|
||||
|
||||
- Extensions to IPv4 to request remote IPv6 transport
|
||||
- Extensions to IPv6 to request remote IPv4 transport
|
||||
- Support in network equipment to handle the extensions
|
||||
- Extensions to IPv4 to request remote IPv6 transport
|
||||
- Extensions to IPv6 to request remote IPv4 transport
|
||||
- Support in network equipment to handle the extensions
|
||||
|
||||
As the IPv4 header does not allow embedding IPv6 addresses due to size
|
||||
limitations, embedding the destination address in a secondary header
|
||||
might be necessary (possibly encapsulated in UDP).
|
||||
* Detail LOG
|
||||
** 2019-02-28
|
||||
*** pinging in router mode: nothing shown in the controller, multicast forwarded -> "ok"
|
||||
|
||||
root@ubuntu:~/master-thesis/p4app# ping6 -c1 2001:db8:61::42
|
||||
PING 2001:db8:61::42(2001:db8:61::42) 56 data bytes
|
||||
From 2001:db8:61::1 icmp_seq=1 Destination unreachable: Address unreachable
|
||||
|
||||
--- 2001:db8:61::42 ping statistics ---
|
||||
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms
|
||||
|
||||
root@ubuntu:~/master-thesis/p4app#
|
||||
|
||||
|
||||
sudo: unable to resolve host ubuntu
|
||||
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
|
||||
listening on h1-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
|
||||
09:47:07.191569 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32
|
||||
09:47:08.190331 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32
|
||||
09:47:09.190279 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32
|
||||
*** TODO special rule for ff02::1:ff00:42
|
||||
|
||||
Semi works, replies are there, but host still retries:
|
||||
|
||||
p4@ubuntu:~/master-thesis$ h=1; mx h$h tcpdump -lni h$h-eth0
|
||||
sudo: unable to resolve host ubuntu
|
||||
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
|
||||
listening on h1-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
|
||||
09:58:04.786979 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32
|
||||
09:58:04.793560 IP6 2001:db8:61::42 > 2001:db8:61::1: ICMP6, neighbor advertisement, tgt is 2001:db8:61::42, length 32
|
||||
09:58:05.786311 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32
|
||||
09:58:05.790506 IP6 2001:db8:61::42 > 2001:db8:61::1: ICMP6, neighbor advertisement, tgt is 2001:db8:61::42, length 32
|
||||
09:58:06.786254 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32
|
||||
09:58:06.792325 IP6 2001:db8:61::42 > 2001:db8:61::1: ICMP6, neighbor advertisement, tgt is 2001:db8:61::42, length 32
|
||||
|
||||
|
||||
Maybe checksums?
|
||||
As the IPv4 header does not allow embedding IPv6 addresses due to size
|
||||
limitations, embedding the destination address in a secondary header
|
||||
might be necessary (possibly encapsulated in UDP).
|
||||
|
|
|
|||
|
|
@ -491,7 +491,10 @@ if __name__ == "__main__":
|
|||
import sys
|
||||
import os
|
||||
|
||||
sw_name = "s1"
|
||||
controller = L2Controller(sw_name)
|
||||
controller.commandline()
|
||||
|
||||
if controller.args.debug:
|
||||
log.setLevel(logging.DEBUG)
|
||||
elif controller.args.verbose:
|
||||
|
|
@ -502,9 +505,6 @@ if __name__ == "__main__":
|
|||
log.info("Booting...")
|
||||
log.debug("Debug enabled.")
|
||||
|
||||
sw_name = "s1"
|
||||
controller = L2Controller(sw_name)
|
||||
|
||||
|
||||
controller.config()
|
||||
controller.run_cpu_port_loop()
|
||||
|
|
|
|||
Loading…
Reference in a new issue