Hi, MartМn.
On Wed, Oct 17, 2007 at 01:25:15PM -0300, MartМn Ferrari wrote:
> > Thank you for this reference. As a Debian maintainer you can update URL
> > in the "vtun" package description block, and I ask you to do that.
>
> The homepage in the description is correct. Only that the download
> section doesn't list the last version. That is correctly pointed in
> the watch file.
It's a pity, but I do not know what the "watch file" is... :-)
I simply run "apt-cache show" for vtun-3.0.1, follow URL and see
no source for it in download page. Well, I do know other ways to
get source, but it's annoying... Thanks Bishop for fixing it.
> > I'll make a look at this code in a couple of days.
>
> Great, I'll wait for your follow-up. Please, also send steps to
> reproduce the problem, because nor upstream nor me had reproduced it
> yet.
The bug scenario is very simple:
1. Connect client A to server B in mode udp.
2. Run ping A->B through tunnel.
3. Drop return udp packets on path B->A, say, via filter on side A:
iptables -A INPUT -p udp -d <ip-A> -s <ip-B> --sport 5000 -j DROP
You will see that ping receives no replies, but client on A does not
detect that path B->A is broken, because it thinks link is OK if it
can send something to it. :-)
Path A->B is NOT the same as path B->A: in Internet it may be different
chain of hosts, different hop count, different path MTU and so on
(so-called asymmetric routing). Even on 100Base-TX Ethernet, it is
different pair of wires, one of them can be broken and other one connected.
So path A->B must ALWAYS be verified independently from path B->A.
The original concept of "link idle" in vtun was conceptionally broken,
because it was programmed as "link_idle = idle(input) AND idle(output)".
So, if there were something to output, vtund never checks for input.
This behaviour can be reproduced with vtund from 2.6 up to 3.0.1.
With my patch any side detect link damage correctly.
Note that in mode TCP this problem also exists, but not exactly in
this form: TCP is bidirectional by its nature. With TCP, dead link
detection works only on kernel level, via standart TCP timeout,
but "keepalive" parameter of VTUN does not work as it should.
--
Eugene Berdnikov
