HIPL

client-side mobility in natted environments

Bug #592200 reported by Miika Komu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
HIPL
New
Undecided
Unassigned

Bug Description

I have fixed some problems occurring in a situation where MN is behind a NAT
box and I am switching between LAN and WLAN manually with a cable. The problem
was that the MN's IP address changes which also changes the NATted port. This
port number is visible to the CN (which is located in a public network), so the
change affected only the CN side. The bug fix is in here:

http://<email address hidden>/hipl--userspace--2.6--patch-2628?log

Notice that the patch includes one workaround which you should fix in order to
close this bug:

    /* @todo: a workaround for bug id 944 */
        ha->peer_udp_port = sinfo->src_port;

One problem with the workaround is that there may be multiple echo request and
responses flying around with different port numbers. A second problem is that
this might be prone to replay attacks.

The solution to the workaround is to avoid changing the port number of the host
association until the last minute. So, port pair should be passed around in the
update handler functions and fixed to the HA only when creating the new SA
pair.

I'll merge the change to the update branch asap.

Revision history for this message
René Hummen (rene-hummen) wrote :

What's the status of this bug? Is this still valid?

Revision history for this message
Miika Komu (miika-iki) wrote :

Yes believe it is even though sequence numbers are properly checked by hip_check_update_freshness(). The scenario is basically about somebody replaying an UPDATE with LOCATOR (and high enough SEQ number). The CN will alter it's port information when receiving the replayed UPDATE-locator packet from the MN. Thus, the CN won't be able to contact MN.

To change the status from workaround to a better bug fix, I suggest to delay storing of port information. My suggestion is to move this piece of code:

modules/update/hipd/update.c:
    /* @todo: a workaround for bug id 592200 */
    ctx->hadb_entry->peer_udp_port = ctx->msg_ports.src_port;

to two places, hip_handle_second_update_packet() and hip_handle_third_update_packet(), just before adding the SAs in hip_recreate_security_associations_and_sp().

Finally, we need in hip_handle_first_update_packet():

   /* store current hadb port as the locator can be a replay (echo response tells use for sure) */
   restore_peer_port = ctx->hadb_entry->peer_udp_port = ctx->msg_ports.src_port;
   /* use the port of the originating locator message for sending echo request */
   ctx->hadb_entry->peer_udp_port = ctx->msg_ports.src_port;

   hip_send_update_to_one_peer();

   /* restore the hadb port */
   ctx->hadb_entry->peer_udp_port = restore_peer_port;

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.