diff --git a/doc/plan.org b/doc/plan.org index 20b5d2e..107ee51 100644 --- a/doc/plan.org +++ b/doc/plan.org @@ -199,18 +199,46 @@ | | | | | | Status: | | | | - Minimal ARP working (for the switch address) | | +| | | | | | - echo ping/request icmp<->icmp6 working | | -| | - udp_v4<->udp_v6 working | | +| | - udp_v6->udp_v4 working | | +| | - tcp_v6->tcp_v4 working | | +| | - udp_v4->udp_v6 working | | +| | - tcp_v4->udp_v6 working | | +| | | | | | | | | | Next steps: | | +| | - Hardware | | +| | - icmp++ | | +| | - pmtu | | +| | - sessions main step | | +| | | | +| | Notes: | | +| | - broadcast link only | | +| | - About 2w delivery time | | +| | - Get in touch with Tobias | | +| | - Scalability analysis -> how many connections/connections/s | | +| | - Forwarding information in tables | | +| | - Hendrik: semester thesis / NetPFGA | | +| | - Tobias: advising Hendrik / Netpfga | | +| | | | +| | | | +| 2019-04-18 | PLAN: NAT64 1:1 table TCP/UDP working | x | +| | | | +| 2019-04-23 | | | +| | Meet Laurent | | +| | | | +| | Review docs / specs | | +| | - Jool EAMT/SIIT | | +| | - IPv4 embedding | | +| | * RFC6052 suffix support | | +| | * RFC4291 IPv4-Compatible IPv6 Address (16 0s) | | +| | * RFC4291 IPv4-Mapped IPv6 Address (16 1s) | | | | | | | | | | | | | | -| 2019-04-18 | PLAN: NAT64 1:1 table TCP/UDP working | | | | | | -| | | | -| | | | -| 2019-05-02 | Jool SIIT / range / offset support https://www.jool.mx/en/run-vanilla.html | | +| 2019-05-02 | Jool SIIT / range / offset support https://www.jool.mx/en/run-vanilla.html | x | | | Jool EAMT support https://www.jool.mx/en/run-eam.html | | | | Bidirectional support | | | | Will need IPv6 embedding suport https://tools.ietf.org/html/rfc6052 | | @@ -227,6 +255,11 @@ | 2018-06-27 | | | | | Target Hardware: code running | | | | | | +| 2019-07-11 | | | +| | Integrated org-documentation into latex / export working | | +| | https://bastibe.de/2014-09-23-org-cite.html | | +| | http://viveks.info/org-mode-academic-writing-bibliographies-org-ref/ | | +| | https://github.com/jkitchin/org-ref | | | | | | | | | | | 2019-07-25 | Benmarking results between P4, Jool, Tayga | | @@ -234,26 +267,25 @@ | | | | | | | | | | | | -| | | | | 2019-08-01 | Latest start writing documentation | | | 2019-08-21 | hand in thesis | | -* Topics / Tasks -** Thesis implementation -*** DONE Setup test VM for P4: 2a0a:e5c0:2:12:400:f0ff:fea9:c3e3 -*** DONE Get feature list of jool -*** DONE Get feature list of tayga -*** DONE Setup P4 base / structure -*** DONE Create minimal controller for populating tables -*** DONE Checkout / review egress settings -*** DONE Create Basis to translate ipv6 --> ipv4 with a (freely programmable) prefix; test ping6_switch -**** DONE Insert prefix into switch: v6_networks -**** DONE Support multiple ipv6 source networks: need new table w/ 2 keys! -> not at the moment -**** DONE Write test.py to generate correct destination packets +| | | | +* Thesis implementation +** DONE Setup test VM for P4: 2a0a:e5c0:2:12:400:f0ff:fea9:c3e3 +** DONE Get feature list of jool +** DONE Get feature list of tayga +** DONE Setup P4 base / structure +** DONE Create minimal controller for populating tables +** DONE Checkout / review egress settings +** DONE Create Basis to translate ipv6 --> ipv4 with a (freely programmable) prefix; test ping6_switch +*** DONE Insert prefix into switch: v6_networks +*** DONE Support multiple ipv6 source networks: need new table w/ 2 keys! -> not at the moment +*** DONE Write test.py to generate correct destination packets >>> a = ipaddress.ip_network("2001:db8::/32") >>> b = ipaddress.ip_address("10.0.0.1") >>> a[int(b)] IPv6Address('2001:db8::a00:1') -**** DONE Using test.py, new NDP packets been seen, bur zero icmp on the outgoing side +*** DONE Using test.py, new NDP packets been seen, bur zero icmp on the outgoing side p4@ubuntu:~/master-thesis/p4app$ python test.py --method v6_static_mapping --debug INFO:main:Trying to reach 10.0.0.1 (64:ff9b::a00:1) from h1 sudo: unable to resolve host ubuntu @@ -273,8 +305,8 @@ DEBUG:main:INCOMING: > DEBUG:main:reassambled=>>> -**** DONE Debug why neighbor discover does not work anymore -***** log +*** DONE Debug why neighbor discover does not work anymore +**** log p4@ubuntu:~$ mx h1 tcpdump -lni any sudo: unable to resolve host ubuntu tcpdump: verbose output suppressed, use -v or -vv for full protocol decode @@ -305,74 +337,74 @@ DEBUG:main:reassambled=>>> DEBUG:main:reassambled=>>> -***** Do we have routing for fe80::/10? Probably not. Shouldn't we see it in the controller then? -***** NDP is controller only! -**** DONE Finish NDP in switch -***** DONE Need to set R/S/O bits -***** DONE Need to parse R/S/O bits -**** DONE Maybe merge v6_address and v6_networks - /128 is the same -**** DONE Implement address learning? -> not at the moment -**** DONE Not sure whether we should react on router solicitation -> not at the moment - - Using static routes -> should do the job -**** DONE Implement the calculation +**** Do we have routing for fe80::/10? Probably not. Shouldn't we see it in the controller then? +**** NDP is controller only! +*** DONE Finish NDP in switch +**** DONE Need to set R/S/O bits +**** DONE Need to parse R/S/O bits +*** DONE Maybe merge v6_address and v6_networks - /128 is the same +*** DONE Implement address learning? -> not at the moment +*** DONE Not sure whether we should react on router solicitation -> not at the moment + - Using static routes -> should do the job +*** DONE Implement the calculation Currently offset + ip address -**** DONE Sketch the flow for session handling for icmp6 w/o packet loss +*** DONE Sketch the flow for session handling for icmp6 w/o packet loss - switch receives icmp6 packet for known prefix - controller needs to create session entry (?) Not sure what I meant to do here - closing. -**** DONE Create table entry for mapping v4->v6 [net] -**** DONE Create table entry for mapping v6->v4 [net] -*** DONE Implement ICMP <-> ICMP6 translation -**** DONE 2019-02-28 / icmp testing / first NDP steps -***** DONE pinging in router mode: nothing shown in the controller, multicast forwarded -> "ok" +*** DONE Create table entry for mapping v4->v6 [net] +*** DONE Create table entry for mapping v6->v4 [net] +** DONE Implement ICMP <-> ICMP6 translation +*** DONE 2019-02-28 / icmp testing / first NDP steps +**** DONE pinging in router mode: nothing shown in the controller, multicast forwarded -> "ok" - root@ubuntu:~/master-thesis/p4app# ping6 -c1 2001:db8:61::42 - PING 2001:db8:61::42(2001:db8:61::42) 56 data bytes - From 2001:db8:61::1 icmp_seq=1 Destination unreachable: Address unreachable + root@ubuntu:~/master-thesis/p4app# ping6 -c1 2001:db8:61::42 + PING 2001:db8:61::42(2001:db8:61::42) 56 data bytes + From 2001:db8:61::1 icmp_seq=1 Destination unreachable: Address unreachable - --- 2001:db8:61::42 ping statistics --- - 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms + --- 2001:db8:61::42 ping statistics --- + 1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms - root@ubuntu:~/master-thesis/p4app# + root@ubuntu:~/master-thesis/p4app# - sudo: unable to resolve host ubuntu - tcpdump: verbose output suppressed, use -v or -vv for full protocol decode - listening on h1-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes - 09:47:07.191569 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32 - 09:47:08.190331 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32 - 09:47:09.190279 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32 -***** DONE special rule for ff02::1:ff00:42 + sudo: unable to resolve host ubuntu + tcpdump: verbose output suppressed, use -v or -vv for full protocol decode + listening on h1-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes + 09:47:07.191569 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32 + 09:47:08.190331 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32 + 09:47:09.190279 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32 +**** DONE special rule for ff02::1:ff00:42 - Semi works, replies are there, but host still retries: + Semi works, replies are there, but host still retries: - p4@ubuntu:~/master-thesis$ h=1; mx h$h tcpdump -lni h$h-eth0 - sudo: unable to resolve host ubuntu - tcpdump: verbose output suppressed, use -v or -vv for full protocol decode - listening on h1-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes - 09:58:04.786979 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32 - 09:58:04.793560 IP6 2001:db8:61::42 > 2001:db8:61::1: ICMP6, neighbor advertisement, tgt is 2001:db8:61::42, length 32 - 09:58:05.786311 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32 - 09:58:05.790506 IP6 2001:db8:61::42 > 2001:db8:61::1: ICMP6, neighbor advertisement, tgt is 2001:db8:61::42, length 32 - 09:58:06.786254 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32 - 09:58:06.792325 IP6 2001:db8:61::42 > 2001:db8:61::1: ICMP6, neighbor advertisement, tgt is 2001:db8:61::42, length 32 + p4@ubuntu:~/master-thesis$ h=1; mx h$h tcpdump -lni h$h-eth0 + sudo: unable to resolve host ubuntu + tcpdump: verbose output suppressed, use -v or -vv for full protocol decode + listening on h1-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes + 09:58:04.786979 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32 + 09:58:04.793560 IP6 2001:db8:61::42 > 2001:db8:61::1: ICMP6, neighbor advertisement, tgt is 2001:db8:61::42, length 32 + 09:58:05.786311 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32 + 09:58:05.790506 IP6 2001:db8:61::42 > 2001:db8:61::1: ICMP6, neighbor advertisement, tgt is 2001:db8:61::42, length 32 + 09:58:06.786254 IP6 2001:db8:61::1 > ff02::1:ff00:42: ICMP6, neighbor solicitation, who has 2001:db8:61::42, length 32 + 09:58:06.792325 IP6 2001:db8:61::42 > 2001:db8:61::1: ICMP6, neighbor advertisement, tgt is 2001:db8:61::42, length 32 - Maybe checksums? -**** DONE Parse icmp -**** DONE Parse icmpv6 -**** DONE Add (static) egress configuration -**** DONE Calculate ICMP6 checksums in controller -***** Need to include the payload!?!! -**** DONE Implement minimal neighbor discovery in controller -***** DONE For the switch -****** DONE Register IPv6 address in table -****** DONE Parse ICMPv6 up to neighbor solicitation -> no: checksum problem -****** DONE Use NDP (Neighbor Solicitation (NDP) , Neighbor Advertisement (NDP)) -> no: controller -****** Approach 2: use cpu header, forward information to controller -****** DONE Fix the ip address match/mapping: 42 -> 2a -> use hex originally -****** DONE Find out why wrong type is used -> overlapping with NDP + Maybe checksums? +*** DONE Parse icmp +*** DONE Parse icmpv6 +*** DONE Add (static) egress configuration +*** DONE Calculate ICMP6 checksums in controller +**** Need to include the payload!?!! +*** DONE Implement minimal neighbor discovery in controller +**** DONE For the switch +***** DONE Register IPv6 address in table +***** DONE Parse ICMPv6 up to neighbor solicitation -> no: checksum problem +***** DONE Use NDP (Neighbor Solicitation (NDP) , Neighbor Advertisement (NDP)) -> no: controller +***** Approach 2: use cpu header, forward information to controller +***** DONE Fix the ip address match/mapping: 42 -> 2a -> use hex originally +***** DONE Find out why wrong type is used -> overlapping with NDP DEBUG:main:INCOMING: > p=> DEBUG:main:cpu = > @@ -388,7 +420,7 @@ p=> DEBUG:main:o=>>> DEBUG:main:Debug purpose only -****** Disable debug by default -> gives correct packets +***** Disable debug by default -> gives correct packets DEBUG:main:INCOMING: > DEBUG:main:cpu = > @@ -403,22 +435,22 @@ DEBUG:main:cpu = >>> DEBUG:main:Doing neighbor solicitation -***** DONE For other nodes -> multicast -***** TODO Maybe implement link local addresses (missing at the moment) -****** ff02::/?? -****** rfc4861 +**** DONE For other nodes -> multicast +**** TODO Maybe implement link local addresses (missing at the moment) +***** ff02::/?? +***** rfc4861 "Neighbor Solicitation messages are multicast to the solicited-node multicast address of the target address." -****** DONE multicasting / groups -******* create a group ("node") that contains "all other" ports -******* create a multicast group with an ID -******* associate the "node" with the multicast group ID -***** If destination is within ff02::1:ff00:0/104, multicast +***** DONE multicasting / groups +****** create a group ("node") that contains "all other" ports +****** create a multicast group with an ID +****** associate the "node" with the multicast group ID +**** If destination is within ff02::1:ff00:0/104, multicast -**** DONE Make switch answer icmp6 echo request for -**** DONE Introduce mixed mode: switch: icmp6 echo reply, controller: NDP -***** DONE try 1: reply seen, but checksum is incorrect -***** DONE try 2: analysing tagya checksumming code +*** DONE Make switch answer icmp6 echo request for +*** DONE Introduce mixed mode: switch: icmp6 echo reply, controller: NDP +**** DONE try 1: reply seen, but checksum is incorrect +**** DONE try 2: analysing tagya checksumming code static uint16_t ip6_checksum(struct ip6 *ip6, uint32_t data_len, uint8_t proto) { uint32_t sum = 0; @@ -478,15 +510,15 @@ static int xlate_payload_4to6(struct pkt *p, struct ip6 *ip6) p->icmp->cksum = ones_add(cksum, ~(129 - 0)); } return 0; -**** DONE Add default route for v6 hosts +*** DONE Add default route for v6 hosts p4@ubuntu:~/master-thesis$ mx h1 ip -6 r sudo: unable to resolve host ubuntu 2001:db8::/64 dev h1-eth0 proto kernel metric 256 pref medium fe80::/64 dev h1-eth0 proto kernel metric 256 pref medium default via 2001:db8::42 dev h1-eth0 metric 1024 pref medium p4@ubuntu:~/master-thesis$ -**** DONE TEST ping6ing an emulated ipv6 host / Translate icmp <-> icmp6: test v6_static_mapping -***** DONE try1: only packets on h1 + controller -> wrong checksum 2019-03-25 +*** DONE TEST ping6ing an emulated ipv6 host / Translate icmp <-> icmp6: test v6_static_mapping +**** DONE try1: only packets on h1 + controller -> wrong checksum 2019-03-25 + filename=static_nat64-2019-03-25-1121-h1.pcap + intf=h1-eth0 + mx h1 tcpdump -ni h1-eth0 -w static_nat64-2019-03-25-1121-h1.pcap @@ -509,8 +541,8 @@ that the checksum code DOES NOT work on the task field! Problem: task field might be overriden for controller use in different table -> need different task field! -***** DONE try2: checksum ok, but no packets on h3 -****** DONE Setup a default rule for the IPv4 world to debug on controller +**** DONE try2: checksum ok, but no packets on h3 +***** DONE Setup a default rule for the IPv4 world to debug on controller Still not seeing the converted packet, however seeing icmp6_ns packets which should not be there: @@ -528,7 +560,7 @@ DEBUG:main:v6 reassambled=) hdr.ipv6.payload_length + 5; - - https://tools.ietf.org/html/rfc791: - Total Length is the length of the datagram, measured in octets, - including internet header and data. - - checksum = 0 -> offset incorrect??? - - ipv4 checksum is 0 - - nat64 frame length = 98 bytes - - theory: ethernet: 48+48+16 = 112 bit -> 12 bytes - - nat64: 76 bytes inside ethernet frame - - nat64: 69 bytes according to total_len - - nat64: -5 bytes = icmp4 = 64 bytes - - icmp6 == 64 bytes - - diff of 7 bytes :-) - - icmp should be: - - type+code+checksum = 4 bytes - - seq + identifier = 4 bytes - - data = variable, source is 56 bytes - - real world ping: total_length = 84, 48 bytes icmp data - - header length in both cases = 5 - - identification 0 in nat64, 0x2cad in real - - flags 0 in nat64, 0x4000 (DF) in real - - ttl = 64 both - - proto = icmp both cases - - header checksum = 0 in nat64, set in real - - data is shorter in nat64, due to total_len error - - real world icmp contains time stamp data ??? - - wireshark EXPECTS timestamp data in echo request! + 8 bytes - and then data - - almost fits diff 7 vs. 8 - - 8 bytes in one block in wireshark - - after ipv4: 6 + 8 + 3*(16) + 2 = 64 -- wtf?? - - icmp6: data == 56 bytes - - nat64 and realping4 frame == 98 bytes +**** DONE try4: h3 receives packet, but length seems to be off + - Seeing frame check sequence error + - total length ipv4 = 69 (h3) + - ipv6 payload length = 64 (h1) + - comes from hdr.ipv4.totalLen = (bit<16>) hdr.ipv6.payload_length + 5; + - https://tools.ietf.org/html/rfc791: + Total Length is the length of the datagram, measured in octets, + including internet header and data. + - checksum = 0 -> offset incorrect??? + - ipv4 checksum is 0 + - nat64 frame length = 98 bytes + - theory: ethernet: 48+48+16 = 112 bit -> 12 bytes + - nat64: 76 bytes inside ethernet frame + - nat64: 69 bytes according to total_len + - nat64: -5 bytes = icmp4 = 64 bytes + - icmp6 == 64 bytes + - diff of 7 bytes :-) + - icmp should be: + - type+code+checksum = 4 bytes + - seq + identifier = 4 bytes + - data = variable, source is 56 bytes + - real world ping: total_length = 84, 48 bytes icmp data + - header length in both cases = 5 + - identification 0 in nat64, 0x2cad in real + - flags 0 in nat64, 0x4000 (DF) in real + - ttl = 64 both + - proto = icmp both cases + - header checksum = 0 in nat64, set in real + - data is shorter in nat64, due to total_len error + - real world icmp contains time stamp data ??? + - wireshark EXPECTS timestamp data in echo request! + 8 bytes + and then data + - almost fits diff 7 vs. 8 + - 8 bytes in one block in wireshark + - after ipv4: 6 + 8 + 3*(16) + 2 = 64 -- wtf?? + - icmp6: data == 56 bytes + - nat64 and realping4 frame == 98 bytes -****** TODO Correct IPv4 header checksum -****** TODO Correct ICMP header checksum -****** TODO Fix length issue - - Seems like total_len is too short - but why? -***** DONE try5: packet is good, but routing is "strange": default route == 10.0.0.66 +***** TODO Correct IPv4 header checksum +***** TODO Correct ICMP header checksum +***** TODO Fix length issue + - Seems like total_len is too short - but why? +**** DONE try5: packet is good, but routing is "strange": default route == 10.0.0.66 root@ubuntu:~# ip r default via 10.0.0.66 dev h3-eth0 10.0.0.0/24 dev h3-eth0 proto kernel scope link src 10.0.0.1 root@ubuntu:~# -***** DONE try6: host sees packet, but does not react on it, manually tring gateway ping +**** DONE try6: host sees packet, but does not react on it, manually tring gateway ping p4@ubuntu:~$ mx h3 tcpdump -lni h3-eth0 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode @@ -672,8 +704,8 @@ From 10.0.0.1 icmp_seq=1 Destination Host Unreachable root@ubuntu:~# -***** DONE try7: checkout dump from ping4_gw-2019-03-31-0916-h3.pcap: regular arp -***** DONE Get a real world arp trace +**** DONE try7: checkout dump from ping4_gw-2019-03-31-0916-h3.pcap: regular arp +**** DONE Get a real world arp trace root@line:/home/nico/vcs/master-thesis/pcap# tcpdump -ni wlan0 -w ping4_realworld_p7 icmp or arp or host 192.168.4.1 tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes root@line:~# arp -an @@ -687,75 +719,75 @@ PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data. rtt min/avg/max/mdev = 15.533/15.533/15.533/0.000 ms root@line:~# -***** TODO Implement default route handling, maybe implement ARP? -****** DONE create arp table -****** TODO Multiple tables not supported +**** TODO Implement default route handling, maybe implement ARP? +***** DONE create arp table +***** TODO Multiple tables not supported p4c --target bmv2 --arch v1model --std p4-16 "../p4src/static-mapping.p4" -o "/home/p4/master-thesis/p4src" ../p4src/static-mapping.p4(366): error: Program is not supported by this target, because table MyIngress.v6_networks has multiple successors table v6_networks { ^^^^^^^^^^^ Compilation Error -****** Entry in v4_networks? -**** DONE Add table name support in debug messages -**** DONE Why getting IPv6 packets in +***** Entry in v4_networks? +*** DONE Add table name support in debug messages +*** DONE Why getting IPv6 packets in INFO:main:unhandled reassambled=>>> from table TABLE_V6_NETWORKS INFO:main:unhandled reassambled=>>> from table TABLE_V6_NETWORKS INFO:main:unhandled reassambled=>>> from table TABLE_NAT64 INFO:main:unhandled reassambled=>> from table TABLE_V4_NETWORKS -**** DONE Solve logic problem: Valid headers +*** DONE Solve logic problem: Valid headers - If ipv6 header is valid && nat64 will be made and afterwards v4 egress needs to be applied - If ipv4 header is valid && nat46 will be made and afterwards v6 egress needs to be applied -**** DONE Check translated fields -***** DONE source correctly translated to 10.1.1.1 -***** DONE destination correctly translated to 10.0.0.1 -> pings h3 -***** DONE egress is correct, comes out at h3 -***** DONE protocol 58 is wrong -> should be 1 -***** DONE figure out switch() syntax -***** DONE transform protocol specific: icmp6 -> icmp -****** DONE Implement double table, as there are no if's in actions -****** DONE Debug Ethernet frame check sequence error -> need to compute checksum +*** DONE Check translated fields +**** DONE source correctly translated to 10.1.1.1 +**** DONE destination correctly translated to 10.0.0.1 -> pings h3 +**** DONE egress is correct, comes out at h3 +**** DONE protocol 58 is wrong -> should be 1 +**** DONE figure out switch() syntax +**** DONE transform protocol specific: icmp6 -> icmp +***** DONE Implement double table, as there are no if's in actions +***** DONE Debug Ethernet frame check sequence error -> need to compute checksum https://en.wikipedia.org/wiki/Frame_check_sequence According to Edgar this should not be seen anyway. -****** DONE Calculate ICMP checksum -****** DONE Check field lengths -****** DONE Fix resolve / mac addresses -> ethernet is wrong! +***** DONE Calculate ICMP checksum +***** DONE Check field lengths +***** DONE Fix resolve / mac addresses -> ethernet is wrong! INFO:main:unhandled reassambled=>>> from table TABLE_V6_NETWORKS INFO:main:unhandled reassambled=>>> from table TABLE_V6_NETWORKS INFO:main:unhandled reassambled=>>> from table TABLE_V6_NETWORKS According to pcap/static_nat64-2019-04-03-0932-h3.pcap ethernet frame looks good. Still no reply / reaction from host h3. -****** DONE Fix IPv4 header checksum // wrong according to wireshark +***** DONE Fix IPv4 header checksum // wrong according to wireshark When & how to update? -****** DONE check packets static_nat64-2019-04-03-0957-h1.pcap: answer not outputted/natted! +***** DONE check packets static_nat64-2019-04-03-0957-h1.pcap: answer not outputted/natted! INFO:main:unhandled reassambled=>>> from table TABLE_V6_NETWORKS INFO:main:unhandled reassambled=>>> from table TABLE_V6_NETWORKS INFO:main:unhandled reassambled=>>> from table TABLE_V6_NETWORKS INFO:main:unhandled reassambled=>>> from table TABLE_V6_NETWORKS -******* DONE Is 10.1.1.1/x in the nat64 table? yes +****** DONE Is 10.1.1.1/x in the nat64 table? yes Adding entry to lpm match table nat46 match key: LPM-0a:01:01:00/24 action: nat46_static runtime data: 20:01:0d:b8:00:00:00:00:00:00:00:00:00:00:00:00 0a:01:01:00 20:01:0d:b8:00:01:00:00:00:00:00:00:00:00:00:00 Entry has been added with handle 0 -******* DONE if nat46_static is called, why is the ethernet type still ipv4? -> log! -******** DONE nat46 table is applied -******* DONE Check why there is a miss in the table -> c&p bug? +****** DONE if nat46_static is called, why is the ethernet type still ipv4? -> log! +******* DONE nat46 table is applied +****** DONE Check why there is a miss in the table -> c&p bug? [09:57:31.415] [bmv2] [T] [thread 9332] [105.0] [cxt 0] Applying table 'MyIngress.v6_networks' [09:57:31.415] [bmv2] [D] [thread 9332] [105.0] [cxt 0] Looking up key: * hdr.ipv6.dst_addr : 20010db8000000000000000000000001 [09:57:31.415] [bmv2] [D] [thread 9332] [105.0] [cxt 0] Table 'MyIngress.v6_networks': miss -***** DONE transform protocol specific: icmp -> icmp6 -****** DONE Make switch answer IPv4 icmp echo request for -******* DONE Make switch respond to ARP -******* DONE Make switch respond to icmp echo request w/ correct checksum (2019-04-03) -******* DONE Correct icmp6 checksum -******** DONE Checksum is SET, but not correct! -***** DONE Test result (2019-04-03) +**** DONE transform protocol specific: icmp -> icmp6 +***** DONE Make switch answer IPv4 icmp echo request for +****** DONE Make switch respond to ARP +****** DONE Make switch respond to icmp echo request w/ correct checksum (2019-04-03) +****** DONE Correct icmp6 checksum +******* DONE Checksum is SET, but not correct! +**** DONE Test result (2019-04-03) p4@ubuntu:~$ python ~/master-thesis/p4app/test.py -m v6_static_mapping PING 2001:db8:1::a00:1(2001:db8:1::a00:1) 56 data bytes 64 bytes from 2001:db8:1::a00:1: icmp_seq=1 ttl=64 time=14.7 ms @@ -764,8 +796,8 @@ PING 2001:db8:1::a00:1(2001:db8:1::a00:1) 56 data bytes 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 14.750/14.750/14.750/0.000 ms p4@ubuntu:~$ -**** DONE Add / check default route for v4 hosts -**** DONE Check IPv4 -> IPv6 translation +*** DONE Add / check default route for v4 hosts +*** DONE Check IPv4 -> IPv6 translation p4@ubuntu:~$ python ~/master-thesis/p4app/test.py -m v4_static_mapping PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data. 64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=12.5 ms @@ -775,8 +807,8 @@ PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data. rtt min/avg/max/mdev = 12.593/12.593/12.593/0.000 ms p4@ubuntu:~$ -*** TODO Implement ipv6<->ipv4 udp translation -**** DONE udp: ipv6->ipv4 +** TODO Implement ipv6<->ipv4 udp translation +*** DONE udp: ipv6->ipv4 p4@ubuntu:~$ mx h3 "echo V4-OK | socat - UDP-LISTEN:2342" /usr/bin/mx: line 25: [: too many arguments @@ -787,9 +819,9 @@ p4@ubuntu:~$ mx h1 "echo V6-OK | socat - UDP6:[2001:db8:1::a00:1]:2342" /usr/bin/mx: line 25: [: too many arguments V4-OK p4@ubuntu:~$ -***** pcap/v6_udp-2019-04-11-0840-h1.pcap -***** pcap/v6_udp-2019-04-11-0840-h3.pcap -**** TODO udp: ipv4->ipv6 +**** pcap/v6_udp-2019-04-11-0840-h1.pcap +**** pcap/v6_udp-2019-04-11-0840-h3.pcap +*** TODO udp: ipv4->ipv6 p4@ubuntu:~$ mx h3 "echo V4-OK | socat - UDP:10.1.1.1:2342" /usr/bin/mx: line 25: [: too many arguments V6-OK @@ -797,12 +829,12 @@ p4@ubuntu:~$ p4@ubuntu:~$ mx h1 "echo V6-OK | socat - UDP6-LISTEN:2342" /usr/bin/mx: line 25: [: too many arguments V4-OK -***** proof - create mode 100644 pcap/v4_udp-2019-04-11-0855-h1.pcap - create mode 100644 pcap/v4_udp-2019-04-11-0855-h3.pcap +**** proof +create mode 100644 pcap/v4_udp-2019-04-11-0855-h1.pcap +create mode 100644 pcap/v4_udp-2019-04-11-0855-h3.pcap -*** DONE Implement ipv6<->ipv4 tcp translation -**** DONE tcp: v6 -> v4 +** DONE Implement ipv6<->ipv4 tcp translation +*** DONE tcp: v6 -> v4 p4@ubuntu:~$ mx h1 "echo V6-OK | socat - TCP6:[2001:db8:1::a00:1]:2342" /usr/bin/mx: line 25: [: too many arguments V4-OK @@ -811,10 +843,10 @@ p4@ubuntu:~$ mx h3 "echo V4-OK | socat - TCP-LISTEN:2342" /usr/bin/mx: line 25: [: too many arguments V6-OK p4@ubuntu:~$ -***** Proof - create mode 100644 pcap/v6_tcp-2019-04-11-0846-h1.pcap - create mode 100644 pcap/v6_tcp-2019-04-11-0846-h3.pcap -**** DONE tcp: v4 -> v6 +**** Proof +create mode 100644 pcap/v6_tcp-2019-04-11-0846-h1.pcap +create mode 100644 pcap/v6_tcp-2019-04-11-0846-h3.pcap +*** DONE tcp: v4 -> v6 p4@ubuntu:~$ mx h3 "echo V4-OK | socat - TCP:10.1.1.1:2342" /usr/bin/mx: line 25: [: too many arguments V6-OK @@ -823,13 +855,13 @@ p4@ubuntu:~$ mx h1 "echo V6-OK | socat - TCP6-LISTEN:2342" /usr/bin/mx: line 25: [: too many arguments V4-OK p4@ubuntu:~$ -***** Proof - pcap/v4_tcp-2019-04-11-0853-h1.pcap | Bin 0 -> 1174 bytes - pcap/v4_tcp-2019-04-11-0853-h3.pcap | Bin 0 -> 1070 bytes +**** Proof +pcap/v4_tcp-2019-04-11-0853-h1.pcap | Bin 0 -> 1174 bytes +pcap/v4_tcp-2019-04-11-0853-h3.pcap | Bin 0 -> 1070 bytes -*** TODO Update p4c to avoid compiler bug -**** TODO Updating p4c -***** DONE Try1 +** TODO Update p4c to avoid compiler bug +*** TODO Updating p4c +**** DONE Try1 p4@ubuntu:~/p4-learning/vm/bin$ sh update-p4c.sh update-p4c.sh: 34: update-p4c.sh: Syntax error: "(" unexpected p4@ubuntu:~/p4-learning/vm/bin$ git pull @@ -841,8 +873,8 @@ p4@ubuntu:~/p4-learning/vm/bin$ p4@ubuntu:~/p4-tools/p4c$ git checkout 1ab1c796677a3a2349df9619d82831a39a6e4437 p4@ubuntu:~/p4-tools/p4c/build$ cmake .. p4@ubuntu:~/p4-tools/p4c/build$ make -j8 -***** DONE Need to upgrade RAM / c++ errors / killed -***** DONE Compile error from 1ab1c79 +**** DONE Need to upgrade RAM / c++ errors / killed +**** DONE Compile error from 1ab1c79 [ 33%] Building CXX object frontends/CMakeFiles/frontend.dir/unified_frontend_sources_4.cpp.o [ 37%] Building CXX object frontends/CMakeFiles/frontend.dir/__/ir/ir-generated.cpp.o [ 35%] Building CXX object frontends/CMakeFiles/frontend.dir/unified_frontend_sources_2.cpp.o @@ -864,7 +896,7 @@ p4@ubuntu:~/p4-tools/p4c/build$ cd .. p4@ubuntu:~/p4-tools/p4c$ git describe --always 1ab1c79 p4@ubuntu:~/p4-tools/p4c$ -***** DONE Upgrading to latest master: 46609cd -> fails +**** DONE Upgrading to latest master: 46609cd -> fails p4@ubuntu:~/p4-tools/p4c$ git describe --always 46609cd @@ -892,17 +924,17 @@ Scanning dependencies of target bmv2backend Makefile:138: recipe for target 'all' failed make: *** [all] Error 2 p4@ubuntu:~/p4-tools/p4c/build$ -***** DONE Build on notebook succeeds 900557c5 +**** DONE Build on notebook succeeds 900557c5 [16:37] line:p4c% git describe --always 900557c5 -***** TODO Build on VM with 900557c5 after removing build/ -*** TODO Get p4 VM / vagrant running -**** DONE install libvirtd-daemon -**** DONE install ebtables -**** DONE install dnsmasq -*** TODO Get p4c & co. running on the notebook -**** DONE mininet via packages -**** DONE p4c +**** TODO Build on VM with 900557c5 after removing build/ +** TODO Get p4 VM / vagrant running +*** DONE install libvirtd-daemon +*** DONE install ebtables +*** DONE install dnsmasq +** TODO Get p4c & co. running on the notebook +*** DONE mininet via packages +*** DONE p4c (virtualenv-with-site) [17:43] line:build% make install [ 0%] Built target update_includes [ 0%] Built target linkgraphs @@ -955,12 +987,12 @@ Install the project... (virtualenv-with-site) [0:42] line:build% ls /home/nico/vcs/master-thesis/support/p4c-installation/bin/ p4c p4c-bm2-psa p4c-bm2-ss p4c-ebpf p4c-graphs p4test (virtualenv-with-site) [0:42] line:build% -**** TODO install behavioral-model +*** TODO install behavioral-model -**** TODO Debug / reread the virtualbox script from the lecture -**** TODO Get p4c installed / running - https://github.com/p4lang/p4c -***** log +*** TODO Debug / reread the virtualbox script from the lecture +*** TODO Get p4c installed / running + https://github.com/p4lang/p4c +**** log [16:31] line:p4c% git submodule update --init --recursive root@line:~# apt install bison \ @@ -994,12 +1026,12 @@ root@line:~# apt install libpcap-dev libelf-dev llvm pyroute2 \ ply==3.8 \ scapy==2.4.0 -***** Using newer version of libboost-iostreams1.58-dev -***** buidling +**** Using newer version of libboost-iostreams1.58-dev +**** buidling (virtualenv2) [16:36] line:p4c% mkdir build && \ cd build && \ cmake .. '-DCMAKE_CXX_FLAGS:STRING=-O3' -***** missing protobuf +**** missing protobuf (virtualenv2) [16:36] line:p4c% mkdir build && \ cd build && \ cmake .. '-DCMAKE_CXX_FLAGS:STRING=-O3' @@ -1103,15 +1135,15 @@ CMake Warning at backends/bmv2/CMakeLists.txt:199 (MESSAGE): -- Generating done -- Build files have been written to: /home/nico/vcs/master-thesis/support/p4c/build -***** testing in build directory: works +**** testing in build directory: works /home/nico/vcs/master-thesis/support/p4c/build -***** Changing install path +**** Changing install path CMAKE_INSTALL_PREFIX cmake .. '-DCMAKE_CXX_FLAGS:STRING=-O3' -DCMAKE_INSTALL_PREFIX=/home/nico/vcs/master-thesis/support/p4c-installation -**** TODO Get p4utils running (?) -**** log of python, p4app, p4c installation +*** TODO Get p4utils running (?) +*** log of python, p4app, p4c installation [16:16] line:support% virtualenv virtualenv2 Running virtualenv with interpreter /usr/bin/python2 New python executable in /home/nico/vcs/master-thesis/support/virtualenv2/bin/python2 @@ -1123,8 +1155,8 @@ Installing setuptools, pkg_resources, pip, wheel...done. (virtualenv2) [16:19] line:p4-utils-nsg% which pip /home/nico/vcs/master-thesis/support/virtualenv2/bin/pip (virtualenv2) [16:19] line:p4-utils-nsg% -***** pip install -e . -****** Missing python development headers +**** pip install -e . +***** Missing python development headers copying psutil/tests/test_memory_leaks.py -> build/lib.linux-x86_64-2.7/psutil/tests running build_ext building 'psutil._psutil_linux' extension @@ -1139,7 +1171,7 @@ Installing setuptools, pkg_resources, pip, wheel...done. root@line:~# apt install python2-dev -****** installing, but missing mininet.net +***** installing, but missing mininet.net (virtualenv2) [16:21] line:p4-utils-nsg% pip install -e "." DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. Obtaining file:///home/nico/vcs/master-thesis/support/p4-utils-nsg @@ -1156,7 +1188,7 @@ Installing collected packages: p4utils Running setup.py develop for p4utils Successfully installed p4utils (virtualenv2) [16:21] line:p4-utils-nsg% -**** log Try2: using virtualenv that uses site packages for using mininet +*** log Try2: using virtualenv that uses site packages for using mininet [17:13] line:support% virtualenv --system-site-packages virtualenv-with-site Running virtualenv with interpreter /usr/bin/python2 New python executable in /home/nico/vcs/master-thesis/support/virtualenv-with-site/bin/python2 @@ -1197,8 +1229,8 @@ p4c --target bmv2 --arch v1model --std p4-16 "../p4src/static-mapping.p4" -o "/h ^^^ Switch port mapping: s1: 1:h1 2:h2 3:h3 4:h4 5:sw-cpu -**** Trying local vagrant VM -***** libvirtd missing user +*** Trying local vagrant VM +**** libvirtd missing user root@line:~# libvirtd 2019-03-12 16:39:14.556+0000: 20235: info : libvirt version: 5.0.0, package: 1 (Guido Günther Wed, 16 Jan 2019 10:31:33 +0100) 2019-03-12 16:39:14.556+0000: 20235: info : hostname: line @@ -1322,46 +1354,59 @@ strace: Process 20614 detached strace: Process 20615 detached strace: Process 20616 detached strace: Process 20620 detached -**** Creating network -**** Adding hosts: - h1 h2 h3 h4 -**** Adding switches: - Cannot find required executable simple_switch. - Please make sure that it is installed and available in your $PATH: - (/home/nico/vcs/master-thesis/support/virtualenv-with-site/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/nico/vcs/master-thesis/support/p4c/build/) - (virtualenv-with-site) root@line:/home/nico/vcs/master-thesis/p4app# -*** TODO Setup test VM [dual stack] for Jool: -*** TODO Setup test VM [dual stack] for tayga: -*** NAT64/NAT46 Features in jool and tayga -**** TODO Static 1:1 NAT46: translate from IPv4 to IPv6 with a table -***** TODO TCP -***** TODO UDP -***** TODO ICMP <-> ICMPv6 -**** TODO Stateless Prefix based NAT64: IPv6 to IPv4 translation prefix based -***** Allows IPv6 hosts to reach the IPv4 Internet -**** See time table above -*** Additional features queue (to be discussed) -**** TODO Offset based translation (v4->v6) -> same as range (?) -**** TODO IP address learning (v6/v4) for real life switch? How do hosts find it? -** Thesis documentation -*** Motivation - TBD -*** Translation mechanisms - - v4 to v6 / vice versa - - Stateful / stateless - - static / dynamic -**** Explicit Address Mappings Table (EAMT) - Range based mapping tables - See https://www.jool.mx/en/eamt.html, - https://tools.ietf.org/html/rfc7757 +*** Creating network +*** Adding hosts: +h1 h2 h3 h4 +*** Adding switches: +Cannot find required executable simple_switch. +Please make sure that it is installed and available in your $PATH: +(/home/nico/vcs/master-thesis/support/virtualenv-with-site/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/nico/vcs/master-thesis/support/p4c/build/) +(virtualenv-with-site) root@line:/home/nico/vcs/master-thesis/p4app# +** TODO Setup test VM [dual stack] for Jool: +** TODO Setup test VM [dual stack] for tayga: +** NAT64/NAT46 Features in jool and tayga +*** TODO Static 1:1 NAT46: translate from IPv4 to IPv6 with a table +**** TODO TCP +**** TODO UDP +**** TODO ICMP <-> ICMPv6 +*** TODO Stateless Prefix based NAT64: IPv6 to IPv4 translation prefix based +**** Allows IPv6 hosts to reach the IPv4 Internet +*** See time table above +** Additional features queue (to be discussed) +*** TODO Offset based translation (v4->v6) -> same as range (?) +*** TODO IP address learning (v6/v4) for real life switch? How do hosts find it? +* Thesis documentation +** Introduction +*** Related work +**** RFC6052 + - Defining well known prefix 64:ff9b::/96 + - Defining embedding depending on prefix: /32../104 in 8 bit + steps + - Longer than /96: suffix support -*** Current state of the art tayga/jool - TBD -**** Tayga - - Single threaded - - Multi threaded work started due to initiative of ungleich / - Chrisrock [IPv6.chat] -**** Jool + + + +** Motivation + TBD +** Translation mechanisms + - v4 to v6 / vice versa + - Stateful / stateless + - static / dynamic +*** Explicit Address Mappings Table (EAMT) + Range based mapping tables + See https://www.jool.mx/en/eamt.html, + https://tools.ietf.org/html/rfc7757 +*** Stateful NAT46 + - Not needed + - IP address based translation is enough +** Current state of the art tayga/jool + TBD +*** Tayga + - Single threaded + - Multi threaded work started due to initiative of ungleich / + Chrisrock [IPv6.chat] +*** Jool - EAMT bidirectional only (!) IPtables interaction @@ -1385,20 +1430,71 @@ user@T:~# iptables -t mangle -A PREROUTING \ > -j JOOL_SIIT --instance "example" ``` 5656 -**** Cisco (?) -*** P4 based implementation -**** General +*** Cisco (?) +** P4 based implementation +*** General - - IPv6 subnet 2001:db8::/32 - - IPv6 hosts are in 2001:db8:6::/64 - - IPv6 default router (::/0) is 2001:db8:6::42/64 - - IPv4 mapped Internet "NAT64 prefix" 2001:db8:4444::/96 (should - go into a table) - - IPv4 hosts are in 10.0.4.0/24 - - IPv6 in IPv4 mapped hosts are in 10.0.6.0/24 - - IPv4 default router = 10.0.0.42 -**** Neighbor discover protocol -***** Initial log + - IPv6 subnet 2001:db8::/32 + - IPv6 hosts are in 2001:db8:6::/64 + - IPv6 default router (::/0) is 2001:db8:6::42/64 + - IPv4 mapped Internet "NAT64 prefix" 2001:db8:4444::/96 (should + go into a table) + - IPv4 hosts are in 10.0.4.0/24 + - IPv6 in IPv4 mapped hosts are in 10.0.6.0/24 + - IPv4 default router = 10.0.0.42 +*** TODO IPv4 embedding + +RFC6052 + +#+BEGIN_SRC + + +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ + |PL| 0-------------32--40--48--56--64--72--80--88--96--104---------| + +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ + |32| prefix |v4(32) | u | suffix | + +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ + |40| prefix |v4(24) | u |(8)| suffix | + +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ + |48| prefix |v4(16) | u | (16) | suffix | + +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ + |56| prefix |(8)| u | v4(24) | suffix | + +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ + |64| prefix | u | v4(32) | suffix | + +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ + |96| prefix | v4(32) | + +--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ + + +#+END_SRC + +Bits 64..71 have to be 0 -- ref rfc4291 - host identifier - why? +Section 2.5.1 of rfc4291 "required to be unique within a subnet prefix" +Modified EUI-64 format. +Compare EUI-64: first 8 bits of mac address + +inverting u bit from rfc 4291 + +#+BEGIN_QUOTE +the "u" bit is set to one (1) + to indicate universal scope, and it is set to zero (0) to indicate + local scope. + +#+END_QUOTE + + +#+BEGIN_SRC + + 0 0 0 1 1 2 + |0 7 8 5 6 3| + +----+----+----+----+----+----+ + |cccc|ccug|cccc|cccc|cccc|cccc| + +----+----+----+----+----+----+ + + +#+END_SRC + +*** Neighbor discover protocol +**** Initial log - Matching on prefix & ingress port, setting multicast Being forwarded: @@ -1568,11 +1664,11 @@ DEBUG:main:INCOMING: >>> DEBUG:main:INCOMING: >>> -***** Ignored ICMPv6 packets +**** Ignored ICMPv6 packets We are not using router advertisements, so we ignore RS packets DEBUG:main:INCOMING: >>> -***** Double table entries due to collision +**** Double table entries due to collision - NDP: last 24 bit - Switch has same ending address in different networks -> equal last 24 bit @@ -1594,70 +1690,70 @@ action: icmp6_echo_reply runtime data: Entry has been added with handle 5 -***** General approach - - Need to react on our multicast group - - But also need to forward to other ports that subscribed to - that multicast group! -**** Static mappings - - likely need table(s) - - need tcp & udp translation -**** ICMPv6 -***** General / Intro - Different lengths possible +**** General approach + - Need to react on our multicast group + - But also need to forward to other ports that subscribed to + that multicast group! +*** Static mappings + - likely need table(s) + - need tcp & udp translation +*** ICMPv6 +**** General / Intro +Different lengths possible - [20:35] line:~% ping -6 -s 20 ::1 - PING ::1(::1) 20 data bytes - 28 bytes from ::1: icmp_seq=1 ttl=64 time=0.045 ms - 28 bytes from ::1: icmp_seq=2 ttl=64 time=0.064 ms - ^C - --- ::1 ping statistics --- - 2 packets transmitted, 2 received, 0% packet loss, time 1018ms - rtt min/avg/max/mdev = 0.045/0.054/0.064/0.012 ms - [20:36] line:~% ping -6 -s 80 ::1 - PING ::1(::1) 80 data bytes - 88 bytes from ::1: icmp_seq=1 ttl=64 time=0.053 ms - 88 bytes from ::1: icmp_seq=2 ttl=64 time=0.095 ms - ^C - --- ::1 ping statistics --- - 2 packets transmitted, 2 received, 0% packet loss, time 1001ms - rtt min/avg/max/mdev = 0.053/0.074/0.095/0.021 ms - [20:36] line:~% +[20:35] line:~% ping -6 -s 20 ::1 +PING ::1(::1) 20 data bytes +28 bytes from ::1: icmp_seq=1 ttl=64 time=0.045 ms +28 bytes from ::1: icmp_seq=2 ttl=64 time=0.064 ms +^C +--- ::1 ping statistics --- +2 packets transmitted, 2 received, 0% packet loss, time 1018ms +rtt min/avg/max/mdev = 0.045/0.054/0.064/0.012 ms +[20:36] line:~% ping -6 -s 80 ::1 +PING ::1(::1) 80 data bytes +88 bytes from ::1: icmp_seq=1 ttl=64 time=0.053 ms +88 bytes from ::1: icmp_seq=2 ttl=64 time=0.095 ms +^C +--- ::1 ping statistics --- +2 packets transmitted, 2 received, 0% packet loss, time 1001ms +rtt min/avg/max/mdev = 0.053/0.074/0.095/0.021 ms +[20:36] line:~% - Different checksum in most packets. +Different checksum in most packets. - root@ubuntu:~/master-thesis# ip -6 neigh show - root@ubuntu:~/master-thesis# ip -6 neigh add 2001:db8:61::42 dev h1-eth0 lladdr 00:00:0a:00:00:42 - root@ubuntu:~/master-thesis# ip -6 neigh show - 2001:db8:61::42 dev h1-eth0 lladdr 00:00:0a:00:00:42 PERMANENT - root@ubuntu:~/master-thesis# +root@ubuntu:~/master-thesis# ip -6 neigh show +root@ubuntu:~/master-thesis# ip -6 neigh add 2001:db8:61::42 dev h1-eth0 lladdr 00:00:0a:00:00:42 +root@ubuntu:~/master-thesis# ip -6 neigh show +2001:db8:61::42 dev h1-eth0 lladdr 00:00:0a:00:00:42 PERMANENT +root@ubuntu:~/master-thesis# - root@ubuntu:~/master-thesis# tcpdump -ni h1-eth0 - tcpdump: verbose output suppressed, use -v or -vv for full protocol decode - listening on h1-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes - ^C20:22:43.944152 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 1, length 64 - 20:22:43.945992 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 1, length 64 - 20:22:44.952453 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 2, length 64 - 20:22:44.953995 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 2, length 64 +root@ubuntu:~/master-thesis# tcpdump -ni h1-eth0 +tcpdump: verbose output suppressed, use -v or -vv for full protocol decode +listening on h1-eth0, link-type EN10MB (Ethernet), capture size 262144 bytes +^C20:22:43.944152 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 1, length 64 +20:22:43.945992 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 1, length 64 +20:22:44.952453 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 2, length 64 +20:22:44.953995 IP6 2001:db8:61::1 > 2001:db8:61::42: ICMP6, echo request, seq 2, length 64 - 4 packets captured - 4 packets received by filter - 0 packets dropped by kernel - root@ubuntu:~/master-thesis# -***** When pinging we see +4 packets captured +4 packets received by filter +0 packets dropped by kernel +root@ubuntu:~/master-thesis# +**** When pinging we see DEBUG:main:INCOMING: >>> DEBUG:main:INCOMING: >>> DEBUG:main:INCOMING: >>> -***** Hosts -****** Left side: IPv6 -****** Right side: IPv4 -***** Included in the header +**** Hosts +***** Left side: IPv6 +***** Right side: IPv4 +**** Included in the header -***** DONE Supported feature: NDP NA/NS +**** DONE Supported feature: NDP NA/NS - For resolving mac address - Initially controller - Ported into switch -***** DONE Supported feature: icmp6 echo reply +**** DONE Supported feature: icmp6 echo reply p4@ubuntu:~/master-thesis/p4app$ python test.py --method ping6_switch PING 2001:db8::42(2001:db8::42) 56 data bytes 64 bytes from 2001:db8::42: icmp_seq=1 ttl=64 time=3.05 ms @@ -1667,12 +1763,12 @@ PING 2001:db8::42(2001:db8::42) 56 data bytes rtt min/avg/max/mdev = 3.055/3.055/3.055/0.000 ms p4@ubuntu:~/master-thesis/p4app$ -**** Requirements -**** Static NAT64 +*** Requirements +*** Static NAT64 Asymmetric maps: v6->v4 can match whole IPv4 Internet (/96) But v4->v6 can only map sub range! Using /24s (for convience) in IPv4 -**** Development mode/loop +*** Development mode/loop Code - commit - push - pull - restart switch - check whether all tables are present (missing .apply()) restart controller - check whether tables are applied correctly (type conversion problems) - @@ -1680,20 +1776,26 @@ start tcpdump - start test program - stop tcpdump - add pcap to git repo - git add-commit-push - git pull - start wireshark - debug packets - analyse code - goto 1 -**** Setting up a system for working on P4 on devuan -***** Scripts in the wild - https://github.com/nsg-ethz/p4-learning/blob/master/vm/bin/update-p4c.sh - https://github.com/jafingerhut/p4-guide/blob/master/bin/install-p4dev-p4runtime.sh - https://github.com/nsg-ethz/p4-learning/tree/master/vm/bin -***** mininet -***** bmv2 - [21:24] line:~% sudo apt install libthrift-dev - [21:26] line:~% sudo apt install thrift-compiler - libnanomsg-dev libjudy-dev -*** Performance comparison -*** P4 Possible Improvements / Current Challenges / Limitations -**** DONE cannot read key from table -***** log +*** Setting up a system for working on P4 on devuan +**** Scripts in the wild + https://github.com/nsg-ethz/p4-learning/blob/master/vm/bin/update-p4c.sh + https://github.com/jafingerhut/p4-guide/blob/master/bin/install-p4dev-p4runtime.sh + https://github.com/nsg-ethz/p4-learning/tree/master/vm/bin +**** mininet +**** bmv2 +[21:24] line:~% sudo apt install libthrift-dev +[21:26] line:~% sudo apt install thrift-compiler +libnanomsg-dev libjudy-dev +** TODO Comparison with existing tools (Performance, Features) +*** Features +| What? | Description | State in P4 | References | +|-----------+------------------------------------------+-------------------+-----------------------------------------------| +| Jool EAMT | Mapping with tables, multiple entries | Supported | https://www.jool.mx/en/run-eam.html, RFC 7757 | +| Jool SIIT | Mapping IPv6 to range of IPv4, one entry | Supported by EAMT | | +| | | | | +** P4 Possible Improvements / Current Challenges / Limitations +*** DONE cannot read key from table +**** log Key and mask for matching destination is in table. We need this information in the action. However this information is not exposed, so we need to specify another parameter with the same information as in @@ -1751,18 +1853,18 @@ Key and mask for matching destination is in table. We need this No you’re right that most implementations have the value in memory. And one can imagine a different table API that allowed one to retrieve it in the data plane. But unless I am missing something obvious, P4 hides it… -***** Result +**** Result Need to duplicate information -**** DONE ICMP6: checksum over payload +*** DONE ICMP6: checksum over payload - variable length, up to 65k Exists! -**** DONE Synchronisation with the controller - - Double data type definition -> might differ - - TYPE_CPU for ethernet - - Port ingress offset (9 vs. 16 bit) +*** DONE Synchronisation with the controller + - Double data type definition -> might differ + - TYPE_CPU for ethernet + - Port ingress offset (9 vs. 16 bit) -**** p4c expression bug 2019-03-30 +*** p4c expression bug 2019-03-30 Hit in master-thesis 0.4-28-g881643e #+BEGIN_SRC @@ -1798,7 +1900,7 @@ bad json: #+END_SRC -**** DONE Only one LPM key supported in tables (2019-03-23) +*** DONE Only one LPM key supported in tables (2019-03-23) Priority support in ternary possible. Means rewriting for developers. Could possibly be supported by switching to ternary mode internally. @@ -1827,7 +1929,7 @@ Code: } #+END_SRC -**** No table meta information for default actions (asked 2019-03-25) +*** No table meta information for default actions (asked 2019-03-25) Is there any meta information for "from which table was the action called" available? My use case is having a debug action that sends packets to the controller and I use it as a default_action in various @@ -1838,165 +1940,196 @@ me available? I could work around this by using if(! .. .hit) { my_action(table_id) }, but it would not work with using default_action = ... -**** DONE No switch in actions, No conditional execution in actions -***** 3 possible solutions - - multi table (state as of 2019-03-28) - - switch/if in actions: with shadow tables - - switch/if in apply block +*** DONE No switch in actions, No conditional execution in actions +**** 3 possible solutions + - multi table (state as of 2019-03-28) + - switch/if in actions: with shadow tables + - switch/if in apply block -***** log - Imho, compiler should be able to unroll these to some degree. +**** log +Imho, compiler should be able to unroll these to some degree. - #+BEGIN_SRC - ../p4src/static-mapping.p4(60): error: SwitchStatement: switch statements not allowed in actions - switch(hdr.icmp6.type) { - ^^^^^^ - #+END_SRC +#+BEGIN_SRC +../p4src/static-mapping.p4(60): error: SwitchStatement: switch statements not allowed in actions + switch(hdr.icmp6.type) { + ^^^^^^ +#+END_SRC - #+BEGIN_SRC - ../p4src/static-mapping.p4(57): error: MethodCallStatement: Conditional execution in actions is not supported on this target - hdr.icmp.setValid(); - ^^^^^^^^^^^^^^^^^^^ - ../p4src/static-mapping.p4(70): error: MethodCallStatement: Conditional execution in actions is not supported on this target - hdr.icmp6.setInvalid(); - ^^^^^^^^^^^^^^^^^^^^^^ - ../p4src/static-mapping.p4(73): error: MethodCallStatement: Conditional execution in actions is not supported on this target - hdr.icmp6_na_ns.setInvalid(); - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - ../p4src/static-mapping.p4(74): error: MethodCallStatement: Conditional execution in actions is not supported on this target - hdr.icmp6_option_link_layer_addr.setInvalid(); - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - Compilation Error - p4@ubuntu:~/master-thesis/p4app$ - #+END_SRC +#+BEGIN_SRC +../p4src/static-mapping.p4(57): error: MethodCallStatement: Conditional execution in actions is not supported on this target + hdr.icmp.setValid(); + ^^^^^^^^^^^^^^^^^^^ +../p4src/static-mapping.p4(70): error: MethodCallStatement: Conditional execution in actions is not supported on this target + hdr.icmp6.setInvalid(); + ^^^^^^^^^^^^^^^^^^^^^^ +../p4src/static-mapping.p4(73): error: MethodCallStatement: Conditional execution in actions is not supported on this target + hdr.icmp6_na_ns.setInvalid(); + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +../p4src/static-mapping.p4(74): error: MethodCallStatement: Conditional execution in actions is not supported on this target + hdr.icmp6_option_link_layer_addr.setInvalid(); + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Compilation Error +p4@ubuntu:~/master-thesis/p4app$ +#+END_SRC - Code: +Code: - #+BEGIN_SRC - if(hdr.ipv6.next_header == PROTO_ICMP6) { - nat64_icmp6(); - } - #+END_SRC +#+BEGIN_SRC + if(hdr.ipv6.next_header == PROTO_ICMP6) { + nat64_icmp6(); + } +#+END_SRC -**** TODO Modules, OS +*** TODO Modules, OS Not addressed so far: how to create re-usable code fragments that can be plugged in easily. There could be a hypothetical "P4OS" that manages code fragments. This might include, but not limited to downloading (signed?) source code, managing dependencies similar to Linux package management, handling updates, etc. -**** TODO Code sharing (controller, switch) +*** TODO Code sharing (controller, switch) Many constants double defined. Easy to make errors. -*** Implementation limitations +** Implementation description and limitations +*** Limitations +**** IPv4 embedding (RFC6052, RFC4291) +Supported is similar to the "IPv4-Compatible IPv6 Address" as defined by +rfc4291 section 2.5.5.1. Longer prefixes can be specified, but +effectively last part used. Not ensuring 16 0 bits. Deprecated +according to RFC4291. + +Also section 2.5.5.2 "IPv4-Mapped IPv6 Address" + + - Only correctly support /96 prefix + - Other modes also embed in last 32 bits + - However supports any prefix length >= 96 + + +Mac addresses: bit 0 = unicast (0)/multicast(1), +bit 1 = local (1)/global (0) - site wiki/mac **** No fragmentation support (yet) **** No session handling (yet) -1:1 mappings. No (automatic) session. + 1:1 mappings. No (automatic) session. **** IPv4 / IPv6 embedding -Currently offset based - probably not following the RFC! + Currently offset based - probably not following the RFC! **** No DNS64 -has already been solved in a different domain - could even do -transparent / in network modification + has already been solved in a different domain - could even do + transparent / in network modification **** Incomplete NDP Very limited option support **** NAT64 mappings not source network dependent -Only the destination network is matched for deciding on NAT64, as -priority based double LPM is not supported. This limits a prefix to be -used only in one network. + Only the destination network is matched for deciding on NAT64, as + priority based double LPM is not supported. This limits a prefix to be + used only in one network. **** TODO No resolution of hardware addresses - - hardcoded ip --> mac addresses -Correct version: -Resolve mac address in controller, buffer packet, replay packet / -handle packet. -Only has to be set, when packets originate from the switch/controller. + - hardcoded ip --> mac addresses + Correct version: + Resolve mac address in controller, buffer packet, replay packet / + handle packet. + Only has to be set, when packets originate from the switch/controller. -*** References / Follow up -**** RFC 791 IPv4 https://tools.ietf.org/html/rfc791 -**** RFC 792 ICMP https://tools.ietf.org/html/rfc792 -**** RFC 826 ARP https://tools.ietf.org/html/rfc826 -**** RFC 1017 ICMP checksum https://tools.ietf.org/html/rfc1071 -**** RFC 2460 IPv6 (Checksum https://tools.ietf.org/html/rfc2460#section-8.1) -**** RFC 3810 MLD2 https://tools.ietf.org/html/rfc3810 -**** RFC 4443 ICMPv6 https://tools.ietf.org/html/rfc4443 -**** RFC 4861: https://tools.ietf.org/html/rfc4861 Neighbor discovery -**** RFC 6052: https://tools.ietf.org/html/rfc6052 IPv6 Addressing of IPv4/IPv6 Translators -**** RFC 6586 for deployment experiences using Stateful NAT64. -**** RFC 7757 Explicit Address Mappings for Stateless IP/ICMP Translation -**** EAMT/Jool: https://www.jool.mx/en/eamt.html -**** Solicited node multicast address https://en.wikipedia.org/wiki/Solicited-node_multicast_address -**** Scapy / IPv6: https://www.idsv6.de/Downloads/IPv6PacketCreationWithScapy.pdf -**** V1 model: https://github.com/p4lang/p4c/blob/master/p4include/v1model.p4 -**** Cisco NAT64 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf -** DONE Admin -*** DONE Clarify PDF / form with Denise Spicher: free form description -*** DONE Create task description to be handed in mystudies -*** DONE Create list of tasks / initial brainstorming -*** DONE Get OK from Ueli Maurer that thesis is valid in Information Security Area -*** DONE Find out how-when-whom-where to meet / define schedule -*** DONE Latex and/or org-mode for the thesis? org for starting -*** DONE Add initial milestones -**** 180d plan -**** 25w -*** DONE Proposal / task description -**** Task description for mystudies -***** High speed NAT64 with P4 - Currently there are two main open source NAT64 solution available: - tayga and jool. The former is a single threaded, cpu bound user - space solution, the latter a custom Linux kernel module. - - This thesis challenges this status quo by developing a P4 based - solution supporting all features of jool/tayga and comparing the - performance, security and adaptivity of the solutions. - - - Milestone 1: Stateless NAT64/NAT46 translations in P4 - - Milestone 2: Stateful (dynamic) NAT64/NAT46 translations - - Milestone 3: Hardware adaption -**** Original ideas - Proposal 1: Automating NAT64 with P4 - - In IPv6 only data centers IPv4 connectivity is still a business - requirement. Current state of the art methods include layer 7 proxying - or static assignments. both featuring static assignments. - - A flexible, dynamic assignment of IPv4 addresses to IPv6 hosts, similar - to lease times in DHCPv4 and prefix delegations in DHCPv6 could reduce - the pressure on IPv4 addresses. - - I would suggest the develop of a new protocol (likely UDP embedded) that - allows hosts to request on-network support for IPv4 addresses. As IPv4 - addresses have to be treated as "expensive", an accounting metric has to - be introduced. While in the business world this is usually related to - money, in the network world IPv4 users could be paying the network by - (reduced) bandwidth. - - If such a metric existed, devices attached to the network could also try - to negotiate and wait for using IPv4, when the price / penality for IPv4 - is low (this might be very suitable for mail exchangers for instance). +** References / Follow up +*** RFC 791 IPv4 https://tools.ietf.org/html/rfc791 +*** RFC 792 ICMP https://tools.ietf.org/html/rfc792 +*** RFC 826 ARP https://tools.ietf.org/html/rfc826 +*** RFC 1017 ICMP checksum https://tools.ietf.org/html/rfc1071 + - Related to RFC 6052, Host identifier +*** RFC 2373 IP Version 6 Addressing Architecture + - Referenced by RFC2464 + - Obsoleted by RFC3513 - Proposal 2: High speed NAT64 with P4 +*** RFC 2460 IPv6 (Checksum https://tools.ietf.org/html/rfc2460#section-8.1) +*** RFC 2464 Transmission of IPv6 Packets over Ethernet Networks https://tools.ietf.org/html/rfc2464 + - embedding of Mac addresses +*** RFC 3810 MLD2 https://tools.ietf.org/html/rfc3810 +*** RFC 4038 Application Aspects of IPv6 Transition https://tools.ietf.org/html/rfc4038 + - Ref by RFC4291 / mapped ipv4 + - +*** RFC 4291 IP Version 6 Addressing Architecture https://tools.ietf.org/html/rfc4291 + -! - Currently there are two main open source NAT64 solution available: - tayga[0] and jool[1]. The former is a single threaded, cpu bound user - space solution, the latter a custom Linux kernel module. +*** RFC 4443 ICMPv6 https://tools.ietf.org/html/rfc4443 +*** RFC 4861: https://tools.ietf.org/html/rfc4861 Neighbor discovery +*** RFC 6052: https://tools.ietf.org/html/rfc6052 IPv6 Addressing of IPv4/IPv6 Translators - first NAT64?? +*** RFC 6586 for deployment experiences using Stateful NAT64. +*** RFC 7757 Explicit Address Mappings for Stateless IP/ICMP Translation - https://tools.ietf.org/html/rfc7757 +*** EAMT/Jool: https://www.jool.mx/en/eamt.html +*** Solicited node multicast address https://en.wikipedia.org/wiki/Solicited-node_multicast_address +*** Scapy / IPv6: https://www.idsv6.de/Downloads/IPv6PacketCreationWithScapy.pdf +*** V1 model: https://github.com/p4lang/p4c/blob/master/p4include/v1model.p4 +*** Cisco NAT64 https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-stateful-nat64.pdf +*** Wiki_mac: https://en.wikipedia.org/wiki/MAC_address +* DONE Initial administration +** DONE Clarify PDF / form with Denise Spicher: free form description +** DONE Create task description to be handed in mystudies +** DONE Create list of tasks / initial brainstorming +** DONE Get OK from Ueli Maurer that thesis is valid in Information Security Area +** DONE Find out how-when-whom-where to meet / define schedule +** DONE Latex and/or org-mode for the thesis? org for starting +** DONE Add initial milestones +*** 180d plan +*** 25w +** DONE Proposal / task description +*** Task description for mystudies +**** High speed NAT64 with P4 + Currently there are two main open source NAT64 solution available: + tayga and jool. The former is a single threaded, cpu bound user + space solution, the latter a custom Linux kernel module. - I would like to challenge this status quo and develop a P4 based - solution supporting all features of jool/tayga and comparing the - performance and adaptivity of the solutions. + This thesis challenges this status quo by developing a P4 based + solution supporting all features of jool/tayga and comparing the + performance, security and adaptivity of the solutions. - [0] http://www.litech.org/tayga/ - [1] https://www.jool.mx/en/index.html + - Milestone 1: Stateless NAT64/NAT46 translations in P4 + - Milestone 2: Stateful (dynamic) NAT64/NAT46 translations + - Milestone 3: Hardware adaption +*** Original ideas + Proposal 1: Automating NAT64 with P4 + + In IPv6 only data centers IPv4 connectivity is still a business + requirement. Current state of the art methods include layer 7 proxying + or static assignments. both featuring static assignments. + + A flexible, dynamic assignment of IPv4 addresses to IPv6 hosts, similar + to lease times in DHCPv4 and prefix delegations in DHCPv6 could reduce + the pressure on IPv4 addresses. + + I would suggest the develop of a new protocol (likely UDP embedded) that + allows hosts to request on-network support for IPv4 addresses. As IPv4 + addresses have to be treated as "expensive", an accounting metric has to + be introduced. While in the business world this is usually related to + money, in the network world IPv4 users could be paying the network by + (reduced) bandwidth. + + If such a metric existed, devices attached to the network could also try + to negotiate and wait for using IPv4, when the price / penality for IPv4 + is low (this might be very suitable for mail exchangers for instance). - Proposal 3: Challenging the status quo with IPv10 + Proposal 2: High speed NAT64 with P4 - The de facto standard in networking is to treat IPv4 - and IPv6 as "impossible to combine". This proposal is - to challenge this notion with three different methods: + Currently there are two main open source NAT64 solution available: + tayga[0] and jool[1]. The former is a single threaded, cpu bound user + space solution, the latter a custom Linux kernel module. - - Extensions to IPv4 to request remote IPv6 transport - - Extensions to IPv6 to request remote IPv4 transport - - Support in network equipment to handle the extensions + I would like to challenge this status quo and develop a P4 based + solution supporting all features of jool/tayga and comparing the + performance and adaptivity of the solutions. - As the IPv4 header does not allow embedding IPv6 addresses due to size - limitations, embedding the destination address in a secondary header - might be necessary (possibly encapsulated in UDP). + [0] http://www.litech.org/tayga/ + [1] https://www.jool.mx/en/index.html + + + Proposal 3: Challenging the status quo with IPv10 + + The de facto standard in networking is to treat IPv4 + and IPv6 as "impossible to combine". This proposal is + to challenge this notion with three different methods: + + - Extensions to IPv4 to request remote IPv6 transport + - Extensions to IPv6 to request remote IPv4 transport + - Support in network equipment to handle the extensions + + As the IPv4 header does not allow embedding IPv6 addresses due to size + limitations, embedding the destination address in a secondary header + might be necessary (possibly encapsulated in UDP).