From owner-freebsd-net@freebsd.org Thu Feb 4 07:47:33 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4949D53B8FE for ; Thu, 4 Feb 2021 07:47:33 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DWVyD4Qb1z3G9R for ; Thu, 4 Feb 2021 07:47:32 +0000 (UTC) (envelope-from shamaz.mazum@gmail.com) Received: by mail-ot1-x330.google.com with SMTP id d7so272346otq.6 for ; Wed, 03 Feb 2021 23:47:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kKEsJUOH8FJq9vlMMW752vwLRF7pc0lA0nQrjmirKvw=; b=iCx4iT0fblLBYIs1VDbDFvQ+dN6IOQxwzUnYdwKnzLhMCT3Wp1lQZ2fbJe1BofvDBg OpoVBcylMw/mOqKhxJLt1bklfLpWX8Io1WtyoApBfPRBuCpHXhJJN8UJV+y8Y/w6INbL g+FAS1pGzG67IBFDChvTAOtTzUUb7K7yRFmrYHKxXXi3MyCfjLW//mqUnpcCcbu8FPJa vkcLK+4f2A1BBgKwj2FxgNwPS0GWEHOIQqX525JC8ox59kA7J1h3e3OplLY5+sZSdjy+ Uu+O26dDiMT6ZfcAD/rjscPCjIla8ex4gUXY+ymwx9VvYkVGYbo08tHHhKKKzdDYfGNs Herw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kKEsJUOH8FJq9vlMMW752vwLRF7pc0lA0nQrjmirKvw=; b=laXHNfMczQtJw+i/s+ggbMy3EYjSncb89fbVHqvVZPfhphfoGQxa2BdKh+87euxaHh gJf0IeA04Hl3zROMJxr9RSmeJuAN3bgpKSXVQXkCerXijR/yD+iVnPAJ8VhZQpXcWJ4p +dea+gghcAwchLa6uXtAjqoJXjhUHTRpp3bkP4mAhVTFW3v9VMkz5krhybs4Dc+23A+Q 6xaRmEAR54CxuiezvKyWErR5whrC3mOz42zshvykvhMUBjbc3Ml9YJMkqxc7pKI+sgJg pdhCiHxP97lreB9Intw259JmfNnagqIZFG1gpJvjyBZ1se0BsF+jNtB3oOYZwsajnvUN 417g== X-Gm-Message-State: AOAM532dLkNNP6srqTT+S0sJBWLdvfvwDT8gecyDkyVBi4nNuLsuGpYy g+e4aau3g5sof324JHcJDzSt++4BJlI9YutmVpA6yDMnTfT9/g== X-Google-Smtp-Source: ABdhPJyIgkFQ5aWom6b9nzT80HS8sFxfqV8OsrcsDE17657Fj9tK+Len8FkinL28oj+0JVCZYrZXILUOKUcx/TXDgLc= X-Received: by 2002:a9d:37c4:: with SMTP id x62mr4940549otb.87.1612424851253; Wed, 03 Feb 2021 23:47:31 -0800 (PST) MIME-Version: 1.0 References: <6d9afa54-d0be-df3e-9377-e19243279a70@plan-b.pwste.edu.pl> <0706606b-d14e-14ee-cb02-5aeef0492798@plan-b.pwste.edu.pl> In-Reply-To: <0706606b-d14e-14ee-cb02-5aeef0492798@plan-b.pwste.edu.pl> From: Vasily Postnicov Date: Thu, 4 Feb 2021 10:47:18 +0300 Message-ID: Subject: Re: new in-kernel wireguard and IPv6 endpoint To: Marek Zarychta Cc: freebsd-net@freebsd.org X-Rspamd-Queue-Id: 4DWVyD4Qb1z3G9R X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=iCx4iT0f; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shamazmazum@gmail.com designates 2607:f8b0:4864:20::330 as permitted sender) smtp.mailfrom=shamazmazum@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-0.996]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::330:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::330:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::330:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Feb 2021 07:47:33 -0000 May be. I have nothing to suggest, sorry. I never used IPv6 in real life. =D1=87=D1=82, 4 =D1=84=D0=B5=D0=B2=D1=80. 2021 =D0=B3., 10:44 Marek Zarycht= a : > W dniu 04.02.2021 o 05:25, Vasily Postnicov pisze: > > If the endpoint does not use the same WireGuard implementation from > FreeBSD, try to cherry-pick this commit first and then rebuild and > reinstall the kernel. > > > https://cgit.freebsd.org/src/commit/?id=3D5aaea4b99e5cc724e97e24a68876e87= 68d3d8012 > > > Thank you for the reply, Vasily. Indeed, the second endpoint uses in Go > implementation from ports (net/wireguard-go) and this version is capable = to > utilize IPv6 endpoints for the tunnels since a while (almost from the ear= ly > beginning of the existence of the port). Thank you for the clue with > cherry-picking the commit above, but my latest tests were done yesterday = on > 14-CURRENT already after this fix was committed. > > The only thing I modified was touching the code in line 590 of file > sys/dev/if_wg/module/module.c b/sys/dev/if_wg/module/module.c which is > validating the endpoint length size. It always appeared to be 28 for IPv6 > endpoints and 16 for legacy IP endpoints. Without this ugly hack, IPv6 > endpoints were not accepted at all, but the code itself suggested that su= ch > an endpoint should be parsed if supplied in the correct form ie.: > [IPv6_address]:port. > > Perhaps the endpoint length is not correctly calculated for IPv6 sockets > or there is an overflow which happens there? > > > > =D1=81=D1=80, 3 =D1=84=D0=B5=D0=B2=D1=80. 2021 =D0=B3., 23:13 Marek Zaryc= hta : > >> W dniu 21.01.2021 o 20:03, Marek Zarychta pisze: >> > Dear subscribers, >> > >> > please let me know if is it possible to use IPv6 addressed endpoint >> > for the tunnel? I have tried to specify the address enclosed in [] >> > followed by the port number, for example: [2001:db8:0:1::1]:54333, >> > have tried without it: 2001:db8:0:1::1:54333. I have also tried to >> > specify it with prefix length, like this one: >> > [2001:db8:0:1::1]/128:54333, but neither works. >> > >> > I got only some errors: >> > >> > matchaddr failed >> > peer not found - dropping 0xfffff802099b6700 >> > wg0: wg_peer_add bad length for endpoint 28 >> > >> > Is it possible to utilize IPv6 address as an endpoint for the tunnel >> > with this implementation? >> > >> > >> There was not much feedback on the mailing list, so I changed the code a >> bit to not validate endpoint length so strictly and check if IPv6 >> address as endpoint is supported. This resulted in a partial success. >> The handshake over IPv6 looks like established from the endpoint (as >> it's reported by "wg show" command), but the tunnel is neither capable >> to carry any data nor keepalives are send. >> >> Here is the handshake as sniffed on the endpoint: >> >> 00:00:00.000000 IP6 (hlim 57, next-header UDP (17) payload length: 156) >> 2001:db8:d47::c:100d.12345 > 2001:db8::b.55667: [udp sum ok] UDP, length >> 148 >> 00:00:00.002860 IP6 (hlim 64, next-header UDP (17) payload length: 100) >> 2001:db8::b.55667 > 2001:db8:d47::c:100d.12345: [bad udp cksum 0x6f50 -> >> 0x62b4!] UDP, length 92 >> 00:00:00.000892 IP6 (hlim 57, next-header UDP (17) payload length: 120) >> 2001:db8:d47::c:100d.12345 > 2001:db8::b.55667: [udp sum ok] UDP, length >> 112 >> >> Perhaps the incompatibility with IPv6 should be mentioned at least in >> just added wg(4) manual page[1]? >> >> [1] https://cgit.freebsd.org/src/commit/?id=3De59d9cb41284 >> >> -- > > Marek Zarychta > >