From nobody Fri Jul 8 12:10:06 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EB37E17FFD40 for ; Fri, 8 Jul 2022 12:10:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LfXCf4ym6z3R2m for ; Fri, 8 Jul 2022 12:10:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4LfXCf3wZCz1LJ2 for ; Fri, 8 Jul 2022 12:10:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 268CA632042477 for ; Fri, 8 Jul 2022 12:10:06 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 268CA6gZ042476 for bugs@FreeBSD.org; Fri, 8 Jul 2022 12:10:06 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 265089] Connection errors with IPv6 source address validation Date: Fri, 08 Jul 2022 12:10:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: frank@pinky.sax.de X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1657282206; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KmonnxEuPuW/QDVmTcnqbIT+RDNrayV8saRUXDdtq+0=; b=N+2w7RjH2090i+2PIO5qVxxpIRqDDCvgXVh5ZNAKvM6rR7SZczpzCsdbEgkrIhil9INoNn /fzoei8susStjDJDv+8vaPTMmr5lXMy12tJsTpwvXu2mdWCl6uLcMCmseCv6an+x0GyL5I eZGoLAFmreQF+lmfX+xO6UEur2mzcFZoec0nS2GSW7fZbHeqOuNmxEhHVF8M4rduDE0g22 JuWo9gbNghI+ZmTLYcWd2pAPkGJfivuH+7373tp9y5S/vYjImZAlEZkrE4FINdNh5fLgZ9 djos+SWQH+RTGA7mEExnOL/g+0HrzCBMe7oCrUmZeuY1N20nOiB611po0YouEQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1657282206; a=rsa-sha256; cv=none; b=DSKCCFRWfbbBnAFe77To7gN8rZdb5cIJ36MGrt+V6qw5VQ2LVprICRse9o2GKyqSxsdXk7 5h/X+wjPHJCs1CwObCPUrPzTyPkj8URAnQP+clIH/THzYhhiOodQaX58a/hYFKchbBEpbk H750qS8evN03ZwY7KiQA2iM0dI/KXXIiivf+p7U0xpRmEivDiMkvMHMjWYZWG/ClD+CXiN 1gwNcp40n8XaJW6kx4iWF2OGbnGkHXzDCPNuIaxcCq2KhwRYulewRJt4ouH+rUlF4WqzYk HGDtTCzGT4hGRLWBAixyoPXIAq9baV0DgMFrgFK/FgJRkq0fKw/WkS8B+AOU/g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265089 Bug ID: 265089 Summary: Connection errors with IPv6 source address validation Product: Base System Version: CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: frank@pinky.sax.de With a current kernel I get connection errors (UDP and TCP) on some destina= tion address using IPv6. After a longer bisect session I determined commit=20 https://cgit.freebsd.org/src/commit/sys/netinet6?id=3D1817be481b8703ae86730= b151a6f49cc3022930f as possible reason. On my server the address 2a01:170:1023::1:1 is assigned to a bridge and a bind(named) listens on that address. With IPv6 source address validation switched on, the is no local UDP connection possible and the TCP connection needs several seconds for connection setup due to repeated packets. # sysctl net.inet6.ip6.source_address_validation=3D1 net.inet6.ip6.source_address_validation: 1 -> 1 # dig +tcp www.freebsd.org @2a01:170:1023::1:1 ... # tcpdump -nv -l -s0 -ttt -i lo0 port 53 and host 2a01:170:1023::1:1 tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 2621= 44 bytes 00:00:00.000000 IP6 (flowlabel 0x0954e, hlim 64, next-header TCP (6) paylo= ad length: 40) 2a01:170:1023::1:1.45851 > 2a01:170:1023::1:1.53: Flags [S], ck= sum 0x775a (incorrect -> 0x1ea5), seq 361203126, win 65535, options [mss 1220,nop,wscale 6,sackOK,TS val 1282807836 ecr 0], length 0 00:00:01.007286 IP6 (flowlabel 0x0954e, hlim 64, next-header TCP (6) paylo= ad length: 40) 2a01:170:1023::1:1.45851 > 2a01:170:1023::1:1.53: Flags [S], ck= sum 0x775a (incorrect -> 0x1ab5), seq 361203126, win 65535, options [mss 1220,nop,wscale 6,sackOK,TS val 1282808844 ecr 0], length 0 00:00:02.198040 IP6 (flowlabel 0x0954e, hlim 64, next-header TCP (6) paylo= ad length: 40) 2a01:170:1023::1:1.45851 > 2a01:170:1023::1:1.53: Flags [S], ck= sum 0x775a (incorrect -> 0x121f), seq 361203126, win 65535, options [mss 1220,nop,wscale 6,sackOK,TS val 1282811042 ecr 0], length 0 00:00:00.000036 IP6 (flowlabel 0xf1abb, hlim 64, next-header TCP (6) paylo= ad length: 40) 2a01:170:1023::1:1.53 > 2a01:170:1023::1:1.45851: Flags [S.], c= ksum 0x775a (incorrect -> 0x07de), seq 3974044347, ack 361203127, win 65535, opt= ions [mss 1220,nop,wscale 6,sackOK,TS val 339537496 ecr 1282811042], length 0 00:00:00.000023 IP6 (flowlabel 0x0954e, hlim 64, next-header TCP (6) paylo= ad length: 32) 2a01:170:1023::1:1.45851 > 2a01:170:1023::1:1.53: Flags [.], ck= sum 0x7752 (incorrect -> 0x31b3), ack 1, win 1030, options [nop,nop,TS val 1282811042 ecr 339537496], length 0 00:00:00.000212 IP6 (flowlabel 0x0954e, hlim 64, next-header TCP (6) paylo= ad length: 90) 2a01:170:1023::1:1.45851 > 2a01:170:1023::1:1.53: Flags [P.], c= ksum 0x778c (incorrect -> 0x83c0), seq 1:59, ack 1, win 1030, options [nop,nop,TS val 1282811042 ecr 339537496], length 58 19397+ [1au] A? www.freebsd.org. (= 56) 00:00:00.040982 IP6 (flowlabel 0xf1abb, hlim 64, next-header TCP (6) paylo= ad length: 32) 2a01:170:1023::1:1.53 > 2a01:170:1023::1:1.45851: Flags [.], ck= sum 0x7752 (incorrect -> 0x3150), ack 59, win 1030, options [nop,nop,TS val 339537537 ecr 1282811042], length 0 00:00:00.011714 IP6 (flowlabel 0xf1abb, hlim 64, next-header TCP (6) paylo= ad length: 156) 2a01:170:1023::1:1.53 > 2a01:170:1023::1:1.45851: Flags [P.], cksum 0x77ce (incorrect -> 0xd425), seq 1:125, ack 59, win 1030, options [nop,nop,TS val 339537546 ecr 1282811042], length 124 19397$ 2/0/1 www.freebsd.org. CNAME wfe2.nyi.freebsd.org., wfe2.nyi.freebsd.org. A 96.47.72.95 (122) 00:00:00.180334 IP6 (flowlabel 0x0954e, hlim 64, next-header TCP (6) paylo= ad length: 90) 2a01:170:1023::1:1.45851 > 2a01:170:1023::1:1.53: Flags [P.], c= ksum 0x778c (incorrect -> 0x82d7), seq 1:59, ack 1, win 1030, options [nop,nop,TS val 1282811275 ecr 339537496], length 58 19397+ [1au] A? www.freebsd.org. (= 56) 00:00:00.048581 IP6 (flowlabel 0xf1abb, hlim 64, next-header TCP (6) paylo= ad length: 168) 2a01:170:1023::1:1.53 > 2a01:170:1023::1:1.45851: Flags [P.], cksum 0x77da (incorrect -> 0x6586), seq 1:125, ack 59, win 1030, options [nop,nop,TS val 339537778 ecr 1282811275,nop,nop,sack 1 {1:59}], length 124 19397$ 2/0/1 www.freebsd.org. CNAME wfe2.nyi.freebsd.org., wfe2.nyi.freebsd.org. A 96.47.72.95 (122) 00:00:00.001475 IP6 (flowlabel 0x0954e, hlim 64, next-header TCP (6) paylo= ad length: 32) 2a01:170:1023::1:1.45851 > 2a01:170:1023::1:1.53: Flags [F.], c= ksum 0x7752 (incorrect -> 0x2ec8), seq 59, ack 125, win 1030, options [nop,nop,TS val 1282811324 ecr 339537778], length 0 00:00:00.000026 IP6 (flowlabel 0xf1abb, hlim 64, next-header TCP (6) paylo= ad length: 32) 2a01:170:1023::1:1.53 > 2a01:170:1023::1:1.45851: Flags [.], ck= sum 0x7752 (incorrect -> 0x2ec8), ack 60, win 1030, options [nop,nop,TS val 339537778 ecr 1282811324], length 0 00:00:00.000064 IP6 (flowlabel 0xf1abb, hlim 64, next-header TCP (6) paylo= ad length: 32) 2a01:170:1023::1:1.53 > 2a01:170:1023::1:1.45851: Flags [F.], c= ksum 0x7752 (incorrect -> 0x2ec7), seq 125, ack 60, win 1030, options [nop,nop,TS val 339537778 ecr 1282811324], length 0 00:00:00.000018 IP6 (flowlabel 0x0954e, hlim 64, next-header TCP (6) paylo= ad length: 32) 2a01:170:1023::1:1.45851 > 2a01:170:1023::1:1.53: Flags [.], ck= sum 0x7752 (incorrect -> 0x2ec8), ack 126, win 1029, options [nop,nop,TS val 1282811324 ecr 339537778], length 0 # route -vn6 get 2a01:170:1023::1:1 RTA_DST: inet6 2a01:170:1023::1:1; RTA_IFP: link ; RTM_GET: Report Metrics:= len 240, pid: 0, seq 1, errno 0, flags: locks: inits: sockaddrs: 2a01:170:1023::1:1 link#0 route to: 2a01:170:1023::1:1 destination: 2a01:170:1023::1:1 fib: 0 interface: lo0 flags: recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 16384 1 0 locks: inits: sockaddrs: 2a01:170:1023::1:1 link#4 lo0 ::1 # ifconfig bridge0 bridge0: flags=3D8843 metric 0 mtu = 1500 ... inet6 2a01:170:1023::1:1 prefixlen 64 # ifconfig lo0 lo0: flags=3D8049 metric 0 mtu 16384 options=3D680003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 groups: lo nd6 options=3D21 Without IPv6 sources address validation everything works as expected: # sysctl net.inet6.ip6.source_address_validation=3D0 net.inet6.ip6.source_address_validation: 1 -> 0 # dig +tcp www.freebsd.org @2a01:170:1023::1:1 ... # tcpdump -nv -l -s0 -ttt -i lo0 port 53 and host 2a01:170:1023::1:1 tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 2621= 44 bytes 00:00:00.000000 IP6 (flowlabel 0xec843, hlim 64, next-header TCP (6) paylo= ad length: 40) 2a01:170:1023::1:1.22949 > 2a01:170:1023::1:1.53: Flags [S], ck= sum 0x775a (incorrect -> 0x1b12), seq 180291145, win 65535, options [mss 1220,nop,wscale 6,sackOK,TS val 414004004 ecr 0], length 0 00:00:00.000040 IP6 (flowlabel 0xa7579, hlim 64, next-header TCP (6) paylo= ad length: 40) 2a01:170:1023::1:1.53 > 2a01:170:1023::1:1.22949: Flags [S.], c= ksum 0x775a (incorrect -> 0x7d2e), seq 774534521, ack 180291146, win 65535, opti= ons [mss 1220,nop,wscale 6,sackOK,TS val 4249746656 ecr 414004004], length 0 00:00:00.000021 IP6 (flowlabel 0xec843, hlim 64, next-header TCP (6) paylo= ad length: 32) 2a01:170:1023::1:1.22949 > 2a01:170:1023::1:1.53: Flags [.], ck= sum 0x7752 (incorrect -> 0xa703), ack 1, win 1030, options [nop,nop,TS val 414004004 ecr 4249746656], length 0 00:00:00.000116 IP6 (flowlabel 0xec843, hlim 64, next-header TCP (6) paylo= ad length: 90) 2a01:170:1023::1:1.22949 > 2a01:170:1023::1:1.53: Flags [P.], c= ksum 0x778c (incorrect -> 0x2098), seq 1:59, ack 1, win 1030, options [nop,nop,TS val 414004004 ecr 4249746656], length 58 40814+ [1au] A? www.freebsd.org. (= 56) 00:00:00.036556 IP6 (flowlabel 0xa7579, hlim 64, next-header TCP (6) paylo= ad length: 32) 2a01:170:1023::1:1.53 > 2a01:170:1023::1:1.22949: Flags [.], ck= sum 0x7752 (incorrect -> 0xa69f), ack 59, win 1030, options [nop,nop,TS val 4249746698 ecr 414004004], length 0 00:00:00.007160 IP6 (flowlabel 0xa7579, hlim 64, next-header TCP (6) paylo= ad length: 156) 2a01:170:1023::1:1.53 > 2a01:170:1023::1:1.22949: Flags [P.], cksum 0x77ce (incorrect -> 0x3ec0), seq 1:125, ack 59, win 1030, options [nop,nop,TS val 4249746704 ecr 414004004], length 124 40814$ 2/0/1 www.freebsd.org. CNAME wfe2.nyi.freebsd.org., wfe2.nyi.freebsd.org. A 96.47.72.95 (122) 00:00:00.001365 IP6 (flowlabel 0xec843, hlim 64, next-header TCP (6) paylo= ad length: 32) 2a01:170:1023::1:1.22949 > 2a01:170:1023::1:1.53: Flags [F.], c= ksum 0x7752 (incorrect -> 0xa5ec), seq 59, ack 125, win 1030, options [nop,nop,TS val 414004052 ecr 4249746704], length 0 00:00:00.000024 IP6 (flowlabel 0xa7579, hlim 64, next-header TCP (6) paylo= ad length: 32) 2a01:170:1023::1:1.53 > 2a01:170:1023::1:1.22949: Flags [.], ck= sum 0x7752 (incorrect -> 0xa5ec), ack 60, win 1030, options [nop,nop,TS val 4249746704 ecr 414004052], length 0 00:00:00.000060 IP6 (flowlabel 0xa7579, hlim 64, next-header TCP (6) paylo= ad length: 32) 2a01:170:1023::1:1.53 > 2a01:170:1023::1:1.22949: Flags [F.], c= ksum 0x7752 (incorrect -> 0xa5eb), seq 125, ack 60, win 1030, options [nop,nop,TS val 4249746704 ecr 414004052], length 0 00:00:00.000017 IP6 (flowlabel 0xec843, hlim 64, next-header TCP (6) paylo= ad length: 32) 2a01:170:1023::1:1.22949 > 2a01:170:1023::1:1.53: Flags [.], ck= sum 0x7752 (incorrect -> 0xa5ec), ack 126, win 1029, options [nop,nop,TS val 414004052 ecr 4249746704], length 0 --=20 You are receiving this mail because: You are the assignee for the bug.=