IETF Logo Mail Archive

[v6ops] Re: CLAT-in-libc and possible interactions with draft-ietf-v6ops-claton?

Brian Candler <brian@nsrc.org> Sun, 28 July 2024 09:45 UTC

Return-Path: <brian@nsrc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4629FC14CEFE for <v6ops@ietfa.amsl.com>; Sun, 28 Jul 2024 02:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nsrc.org header.b="dxYg5qs/"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="omb9XaRP"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f30_I9tzIpje for <v6ops@ietfa.amsl.com>; Sun, 28 Jul 2024 02:45:15 -0700 (PDT)
Received: from fout1-smtp.messagingengine.com (fout1-smtp.messagingengine.com [103.168.172.144]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4708C14F75F for <v6ops@ietf.org>; Sun, 28 Jul 2024 02:45:15 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfout.nyi.internal (Postfix) with ESMTP id 902B21380533; Sun, 28 Jul 2024 05:45:14 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Sun, 28 Jul 2024 05:45:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nsrc.org; h=cc :content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1722159914; x=1722246314; bh=APe5P4Ni2Qp0rBvrfFMVrQ5i8wfTtTwIYWr1nYXXxaI=; b= dxYg5qs/ehiMA0xhdHBuzWtx2tsRav5DZ+1cMJvBV7Ryp/gU1qir+uw0rdV3AhgH iRpkLSQtqNs4RzOBGC0BySs9ttGgvGB2jG8k24IvBZ/rm1qB7Q7hDGiyev+ZA8SV kQBiOINoml+BkMhWxNAxtuaj2AGlN4DU6jPF7Wihs2LDXWlVa8tQCo6aLmiSjFPs 60h7WTIx4/EUMLlFeko0+SQdU20Mn1Mur2Yx8XNjLZ4mmMpwsyUKLGLllZveFZfw /KgiCulI4+Kd+AlOOnZW8ZG1ADa+fQsg7Gx8Ld6QCJD0rxTMMzik2Do5YYaEaC9E lSN9Q504w8s7CpeofczcVQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1722159914; x= 1722246314; bh=APe5P4Ni2Qp0rBvrfFMVrQ5i8wfTtTwIYWr1nYXXxaI=; b=o mb9XaRP8lC8iZUdEwLKVL8v1DGilD2JZwrH6SHodw3BhhDgqzOY1CrkCdwRZ3/ZB Ov+TSGpd7pZY1zwAX2MVGy8nn+Lla3KJlC283++y1dzZHiLFnEHXX9w73kKrWMyY GJycwt9QrMmQgjndcznDGYthVloV8VLkCEN0ast/ZRsmccpARQ+xjNCg3fW2x8Kq 0HaTvfC6dct0iAzn8UXLoCSq6CBUrYLRG0OvQju0jmZIGSwEHLPe4/D4CF5Rf9ty kJ7rPLptLb1vG17w8JBWmDtR41iNOT/+G//4Vz3t10D3pnmuFFHz+js6YyiSs650 1Ot90mzLhh3agx7e8Lhcg==
X-ME-Sender: <xms:KhOmZqIyUvqAo9ZPS8qppPMETlXk-OlSDars2SUY5o7UHySLigIrIQ> <xme:KhOmZiI3y9_rWdqNYnJq9ezXwFZxIZaEioLhGao50Rl0T3cUnYrv9apK0EBDvXS8L ZF-EcKMMGWNMvIpVrQ>
X-ME-Received: <xmr:KhOmZqtdxyOVi5cJ08Mc23nsf-OG_X1Ud00pLN_7T8kb8BnqPSNrJKQPrR8kc7E>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrjedtgddvtdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepkfffgggfuffvfhfhjggtgfesthekre dttddvjeenucfhrhhomhepuehrihgrnhcuvegrnhgulhgvrhcuoegsrhhirghnsehnshhr tgdrohhrgheqnecuggftrfgrthhtvghrnhepleffjeelueeiheettdeukefgudegffelje egffeitdeigfehheefudfgveeitdfhnecuffhomhgrihhnpegtohhnfhdrihhtnecuvehl uhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepsghrihgrnhesnh hsrhgtrdhorhhgpdhnsggprhgtphhtthhopedt
X-ME-Proxy: <xmx:KhOmZvbvkUKph03kiKMe859v_b5Ml6cDCs3oBjGut94Brd-vnkNBPA> <xmx:KhOmZhb0xTztDOwsrQopSAo8vfMH-qAbAFwpxU0EiwYfj4MP2Xu9gg> <xmx:KhOmZrBNw1KnX7sGMWLgMIW4xxjHkwsWseuSFPi7-iQQbeGMJRh7Gg> <xmx:KhOmZnbF0WV6RAThY1gxc1jnj9XQKb2ANEXHFGlbMztRUwprGKOzsw> <xmx:KhOmZlG5hWglH3yQrX_xYM_HlpRuf-3mAM3GE3W2fF0emH7lsIlvP2zb>
Feedback-ID: i8f09498f:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sun, 28 Jul 2024 05:45:13 -0400 (EDT)
Message-ID: <cd61afa3-f7d5-4d2f-906d-3ee784b7227d@nsrc.org>
Date: Sun, 28 Jul 2024 10:45:12 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: "Soni \"It/Its\" L." <fakedme+ietf@gmail.com>, v6ops@ietf.org
References: <c06a4934-aa58-42e2-b00f-f1558b8600cb@gmail.com> <4ca08b3d-0a95-4832-b65f-98045201a18a@nsrc.org> <4c962726-6581-4024-902d-6eafc6d2b3bc@gmail.com> <7c323013-d83a-4160-93f6-ad04fdee6215@nsrc.org> <76d8ac51-2e57-4cfe-bee3-491513bd4972@gmail.com>
Content-Language: en-GB
From: Brian Candler <brian@nsrc.org>
In-Reply-To: <76d8ac51-2e57-4cfe-bee3-491513bd4972@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: RXVEHCTOCGDDL2YBT6ZMF47ZQOWBMSX2
X-Message-ID-Hash: RXVEHCTOCGDDL2YBT6ZMF47ZQOWBMSX2
X-MailFrom: brian@nsrc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [v6ops] Re: CLAT-in-libc and possible interactions with draft-ietf-v6ops-claton?
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/p_U7DbIo1J3ApT0Wvbt0j0DOBOI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>

On 27/07/2024 20:03, Soni "It/Its" L. wrote:
>
> say you have an ipv4 listen socket, you accept on it, and a connection 
> comes in.
>
> accept is generally expected to fill in a struct sockaddr with the 
> peer address.  since the OS doesn't have ipv4, "CLAT-in-libc" has to 
> fetch the NAT64 prefix and translate the IPv6 NAT64 address of the 
> peer to its IPv4 representation.
>
> "Fetching the NAT64 prefix", for practical purposes, involves reading 
> /etc/clat.conf.  It's not particularly expensive, but it isn't free 
> either.

I'd say it's insignificant in the bigger picture of what an application 
already has to do on each incoming connection.

I don't think you can avoid this functionality though. Although accept() 
takes a pointer to a generic struct sockaddr, any application which 
opened a v4 socket is likely to be hard-coded to pass in a sockaddr_in, 
and parse it as such.  You can't return a sockaddr_in6 and expect it to 
work in the general case.

You might be thinking of a server application accepting thousands of 
connections per second. If the reading of clat.conf on each connection 
were a problem, I guess it could cache the contents of /etc/clat.conf in 
RAM as a small optimisation (remembering that the NAT64 prefix *could* 
change over time)

But would you really expect a high-performance server to be sitting on a 
v6-only network, configured to accept v4 connections, as an important 
use case?

The "translating the IPv6 NAT64 address of the peer" only applies if the 
PLAT were accepting IPv4 connections and forwarding them - which in turn 
means configuration of port forwarding on the PLAT. Maybe you'd do that 
in a home network, but I'd be surprised if much of that happens much in 
a provider network. I guess with PCP/uPNP etc it would be possible in 
principle.

I think in the main reason to map listening sockets as just a matter of 
completeness, and to allow applications which choose to open a (v4) 
listening socket to run without crashing on a v6-only network.


>
> If instead you have an IPv6 listen socket, why go through all that 
> effort just to convert NAT64 addresses into v4mapped addresses?

Obviously, an application which natively opens an IPv6 listen socket 
will see IPv6 source addresses.  Or IPv4-mapped ones (under certain OSes 
and with dual stack).  Or it will see IPv4 addresses with a NAT64 
prefix, but only if the PLAT does inbound port forwarding.  I don't see 
a need to mess with any of those.

But if the application opened an IPv4 socket, but the libc shim actually 
gave them an IPv6 socket, then it would have to do the translation - 
because if the application calls getpeername() or accept() etc it will 
expect to see an AF_INET address.


>
>> I also don't get what situation you're referring to which requires 
>> "the traditional thing of opening two connect sockets", unless you're 
>> talking about Happy Eyeballs? Or do you mean that the client would 
>> open *either* an IPv4 *or* and IPv6 socket? That's fine.
>>
>
> That's the latter, yeah, the application would just use IPv4 sockets 
> when connecting to IPv4 addresses, and IPv6 sockets when connecting to 
> IPv6 addresses.  As it generally does today.

I see no issue with that behaviour an IPv6-only host with this libc 
shim. The natural behaviour would be if the application:

- open an IPv6 socket: it just passes through
- open an IPv4 socket: the shim converts it to an IPv6 socket and 
adds/removes the NAT64 prefix as necessary on connect(), accept(), 
getpeername() etc.

However, if an IPv6 socket is given an IPv4-mapped address to connect 
to, I think it would be easy enough to convert this to NAT64 prefix+IP 
address as well. Then both types of application are handled equally well.

Regards,

Brian.

v2.39.1 | Report a Bug | By Email | System Status