A free C++ implementation of NSIS protocols

Opened 9 years ago

Last modified 9 years ago

#103 new task

Send first Query in S=0 mode

Reported by: hiwi-laier Owned by: bless
Priority: major Milestone:
Component: GIST Version:
Keywords: Cc:

Description (last modified by bless)

This requires the ability to hand a source address to the tp modules (tp_queryencap at very least). One possibility is r3207 of the mobility branch. Together with r3420 in NTLP and a change to https://projekte.tm.uni-karlsruhe.de/trac/NSIS/browser/ntlp/branches/20080714-mobility/src/ntlp_statemodule_querier.cpp?rev=3420#L161 that should read


this would provide the necessary infrastructure. The only thing missing is a way to send a packet with a spoofed source address. This might either require a RAW socket or firewall injection of some kind. Currently this will fail with EINVAL from the UDP-socket.

In summary, only the first one or two GIST Queries should be sent using S=0, retransmissions must use S=1 in order to allow for legacy NAT detection.

GIST Draft statements for S Flag usage:

   Source addressing mode:  If set (S=1), this indicates that the IP
      source address of the message is the same as the IP address of the
      signalling peer, so replies to this message can be sent safely to
      this address.  S is always set in C-mode.  It is cleared (S=0) if
      the IP source address was derived from the message routing
      information in the payload and this is different from the
      signalling source address.
  o  By default, the source address is the flow source address, again
      from the MRI; therefore, the source addressing mode flag in the
      common header S=0. 
   For the case of the Querying node on the internal side of the NAT, if
   the S flag is not set in the Query (S=0), a legacy NAT cannot be
   detected.  The receiver will generate a normal Response to the
   interface-address given in the NLI in the Query, but the interface-
   address will not be routable and the Response will not be delivered.
   If retransmitted Queries keep S=0, this behaviour will persist until
   the Querying node times out.  The signalling path will thus terminate
   at this point, not traversing the NAT.

   The situation changes once S=1 in a Query; note the Q-mode
   encapsulation rules recommend that S=1 is used at least for some
   retransmissions (see Section 5.8).  If S=1, the receiver MUST check
   the source address in the IP header against the interface-address in
   the NLI, and if these addresses do not match this indicates that a
   legacy NAT has been found. 

Change History (1)

comment:1 Changed 9 years ago by bless

  • Description modified (diff)
  • Summary changed from Allow Querys in S=0 mode to Send first Query in S=0 mode
  • Type changed from defect to task
Note: See TracTickets for help on using tickets.