SixXS::Sunset 2017-06-06

aiccu behaviour in a heavily filtered IPv4 network
[no] Shadow Hawkins on Friday, 29 February 2008 09:22:36
Hello, I've been googling around for an answer to this, and even resorted to reading the FAQ :) without really finding the answer I want. I have recently started using aiccu with an ayiya tunnel on a laptop, with IPv6 connectivity everywhere I go as a goal. However, I often use a wireless network where most ports are blocked, so this did not work as well as I hoped for. I have read the FAQ and do understand that aiccu is deliberately designed to allow blocking by a local policy. So if I can't get the network adminstrators to open ports 3874/tcp and 5072/udp then my tunnel will not work. That's OK. I can live with it. But the problem I'm facing is that aiccu never tear down or disably the tunnel, even if it is blocked for a long time. This effectively creates an IPv6 blackhole. The typical situation is - aiccu is started on a net where ports 3874/tcp and 5072/udp are open and the tunnel comes up just fine - the laptop is moved to another IPv4 net where it gets a new IPv4 address - ports 3874/tcp and 5072/udp are blocked so aiccu cannot update the tunnel - aiccu keeps the tunnel interface up, using the previuosly assigned IPv4 address as local address - since the tunnel interface is up, the default IPv6 route is also there, tricking applications into believing that they have IPv6 connectivity Result: A large black hole. Would it be possible to change aiccu into detecting this situation and either completely disable the tunnel or at least remove the default route when the POP is unreacheable? This illustrates the problem. aiccu is using non-existing local ipv4 address:
obelix:/etc# netstat -ueanp |grep aiccu udp 0 0 148.122.252.2:38299 82.96.56.14:5072 ESTABLISHED0 154475 22631/aiccu obelix:/etc# ip addr 1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0d:60:fc:aa:6b brd ff:ff:ff:ff:ff:ff 3: irda0: <NOARP> mtu 2048 qdisc noop qlen 8 link/irda 00:00:00:00 brd ff:ff:ff:ff 4: wifi0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 199 link/ieee802.11 00:05:4e:4c:77:69 brd ff:ff:ff:ff:ff:ff 5: ath0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc noqueue link/ether 00:05:4e:4c:77:69 brd ff:ff:ff:ff:ff:ff inet 148.120.245.135/22 brd 148.120.247.255 scope global ath0 inet6 fe80::205:4eff:fe4c:7769/64 scope link valid_lft forever preferred_lft forever 6: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 11: sixxs: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1280 qdisc pfifo_fast qlen 500 link/[65534] inet6 2001:16d8:ff00:21f::2/64 scope global valid_lft forever preferred_lft forever inet6 fe80::14d8:ff00:21f:2/64 scope link valid_lft forever preferred_lft forever
This makes heartbeat fail, but aiccu does not seem to worry about the socket failure;
Feb 29 09:16:17 obelix aiccu: [AYIYA-beat] : Error (-1) while sending 44 bytes sent to network: Invalid argument (22) Feb 29 09:17:17 obelix aiccu: [AYIYA-beat] : Error (-1) while sending 44 bytes sent to network: Invalid argument (22)
I assume the failing heartbeat will properly disable the tunnel at the POP end, but I would have liked it to disable the tunnel at the local end too. Bjørn
aiccu behaviour in a heavily filtered IPv4 network
[ch] Jeroen Massar SixXS Staff on Friday, 29 February 2008 12:16:54
But the problem I'm facing is that aiccu never tear down or disably
the tunnel, even if it is blocked for a long time. This effectively
creates an IPv6 blackhole.
Correct. There currently is no 'the connectivity is really working' check builtin. This is mostly implemented in the version that is in CVS though.
- aiccu keeps the tunnel interface up, using the previuosly assigned
IPv4 address as local address
That is actually a bug on unix platforms, Windows versions don't have this issue. This one has already been fixed in CVS too. We just need to find time somewhere to finish it up and release it to the public. In it's current state that can't be done though. And time is a precious thing.
aiccu behaviour in a heavily filtered IPv4 network
[no] Shadow Hawkins on Friday, 29 February 2008 13:46:23
Thanks. Great to know that these features are being worked on. Is the CVS repository publicly available somewhere? Is cleaning it all up for a release something that others could help doing, or is it the missing part "I know why I wrote this code, I just need to document it" etc? The limited time is a well known problem, and I'd love to help if possible. I'm sure others would too. But looking at the currently available source is of course pretty useless if you've already fixed these problems in CVS. Bjorn

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker