Modify

Opened 2 years ago

#21863 new defect

WAN-LAN traffic with ports outside the MAP-T range are not dropped

Reported by: naresh@… Owned by: developers
Priority: normal Milestone: Designated Driver (Trunk)
Component: packages Version: Chaos Calmer 15.05
Keywords: Cc: cyrus@…

Description

As per RFC7599 (https://tools.ietf.org/html/rfc7599), section 8.2 (IPv6 to IPv4 at the CE), A MAP-T CE should drop IPv6 > IPv4 traffic with ports outside the MAP-T range. PFB the snippet from RFC7599

"The CE MUST check that each MAP-T received packet's transport-layer destination port number is in the range allowed for by the CE's MAP BMR configuration. The CE MUST silently drop any nonconforming packet and increment an appropriate counter. "

AP is not conforming to that statement and instead process the packets.

Topo:
LAN Host (windows PC) <---> (eth1) DUT (eth0) <----> (eth1) WAN host (Linux PC)

Config:
root@OpenWrt:/# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config interface 'lan'
option ifname 'eth1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'wan'
option ifname 'eth0'
option proto 'static'
option ip6addr 7778::2/64
option ip6gw 7778::1
option ip6prefix 7778:0:0:1e0::/60

config interface 'wan6_map'
option proto map
option type map-t
option tunlink wan
option ip6prefix 7778:: # BMR IPv6 prefix
option ip6prefixlen 48 # BMR IPv6 prefix len
option ipaddr 78.78.78.0 # BMR IPv4 prefix
option ip4prefixlen 24 # BMR IPv4 prefix len
option peeraddr 7777:0:0:1e0::/64 # DMR
option ealen 12
option psidlen 4
option offset 4

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '6 1 2 3 4'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 5'
root@OpenWrt:/# cat /etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
option disable_ipv6 1

config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT

config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1

config forwarding
option src lan
option dest wan

config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4

config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT

config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT

config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT

config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT

config include
option path /etc/firewall.user

config redirect
option src wan
option dest lan
option dest_ip 192.168.1.111
option dest_port 1111
option proto tcp

Details:

  • Our portid from prefix 7778:0:0:1e0::/60 is "e" with offset 4, so the port ranges allowed are 7680-7935, 11776-12031 etc. Port 1111 is outside the range and hence if we send traffic from WAN side with destination port as 1111 then it should be dropped by MAP-T module. But instead, the map-t module processed the packets and sent to LAN side host violating the RFC. For the reverse direction, since the port number is outside the range, the packets were sent with different portid (4 which maps to 1111). PFB the packet capture on WAN host

root@checstlc0015975-lin:~# tcpdump -i eth1 -n port 1111
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
00:52:00.566746 IP6 7777::1e0:4e:4e4e:200:0.57762 > 7778::1e0:0:4e4e:4e01:e.1111: Flags [S], seq 331599945, win 14400, options [mss 1440,sackOK,TS val 24217489 ecr 0,nop,wscale 7], length 0
00:52:00.568302 IP6 7778::140:0:4e4e:4e01:4.1111 > 7777::1e0:4e:4e4e:200:0.57762: Flags [R.], seq 0, ack 331599946, win 0, length 0
00:52:01.566049 IP6 7777::1e0:4e:4e4e:200:0.57762 > 7778::1e0:0:4e4e:4e01:e.1111: Flags [S], seq 331599945, win 14400, options [mss 1440,sackOK,TS val 24217739 ecr 0,nop,wscale 7], length 0
00:52:01.567396 IP6 7778::140:0:4e4e:4e01:4.1111 > 7777::1e0:4e:4e4e:200:0.57762: Flags [R.], seq 0, ack 1, win 0, length 0
00:52:03.570085 IP6 7777::1e0:4e:4e4e:200:0.57762 > 7778::1e0:0:4e4e:4e01:e.1111: Flags [S], seq 331599945, win 14400, options [mss 1440,sackOK,TS val 24218240 ecr 0,nop,wscale 7], length 0
00:52:03.571607 IP6 7778::140:0:4e4e:4e01:4.1111 > 7777::1e0:4e:4e4e:200:0.57762: Flags [R.], seq 0, ack 1, win 0, length 0
00:52:07.578089 IP6 7777::1e0:4e:4e4e:200:0.57762 > 7778::1e0:0:4e4e:4e01:e.1111: Flags [S], seq 331599945, win 14400, options [mss 1440,sackOK,TS val 24219242 ecr 0,nop,wscale 7], length 0
00:52:07.579373 IP6 7778::140:0:4e4e:4e01:4.1111 > 7777::1e0:4e:4e4e:200:0.57762: Flags [R.], seq 0, ack 1, win 0, length 0

The command used to generate the packet on WAN side host is
root@checstlc0015975-lin:~# iperf3 -c 7778::1e0:0:4e4e:4e01:e -6 -B 7777::1e0:4e:4e4e:200:0 -p 1111
iperf3: error - unable to connect to server: Connection timed out

Config @ WAN side PC:
root@checstlc0015975-lin:~# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:50:b6:15:3b:f4
inet6 addr: fe80::250:b6ff:fe15:3bf4/64 Scope:Link
inet6 addr: 7778::1/64 Scope:Global
inet6 addr: 7777::1e0:4e:4e4e:200:0/128 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16403191 errors:0 dropped:15 overruns:0 frame:0
TX packets:8226737 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:24448292562 (22.7 GiB) TX bytes:957504949 (913.1 MiB)

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.