Add UDP discovery mechanism.

This adds a new mechanism by which tinc can determine if a node is
reachable via UDP. The new mechanism is currently redundant with the
PMTU discovery mechanism - that will be fixed in a future commit.

Conceptually, the UDP discovery mechanism works similarly to PMTU
discovery: it sends UDP probes (of minmtu size, to make sure the tunnel
is fully usable), and assumes UDP is usable if it gets replies. It
assumes UDP is broken if too much time has passed since the last reply.

The big difference with the current PMTU discovery mechanism, however,
is that UDP discovery probes are only triggered as part of the
packet TX path (through try_tx()). This is quite interesting, because
it means tinc will never send UDP pings more often than normal packets,
and most importantly, it will automatically stop sending pings as soon
as packets stop flowing, thereby nicely reducing network chatter.

Of course, there are small drawbacks in some edge cases: for example,
if a node only sends one packet every minute to another node, these
packets will only be sent over TCP, because the interval between packets
is too long for tinc to maintain the UDP tunnel. I consider this a
feature, not a bug: I believe it is appropriate to use TCP in scenarios
where traffic is negligible, so that we don't pollute the network with
pings just to maintain a UDP tunnel that's seeing negligible usage.
This commit is contained in:
Etienne Dechamps 2014-12-29 10:34:39 +00:00
parent 5d6478b9fb
commit 7939ee1283
10 changed files with 96 additions and 14 deletions

View file

@ -4,7 +4,7 @@ _tinc() {
cur="${COMP_WORDS[COMP_CWORD]}"
prev="${COMP_WORDS[COMP_CWORD-1]}"
opts="-c -d -D -K -n -o -L -R -U --config --no-detach --debug --net --option --mlock --logfile --pidfile --chroot --user --help --version"
confvars="Address AddressFamily BindToAddress BindToInterface Broadcast BroadcastSubnet Cipher ClampMSS Compression ConnectTo DecrementTTL Device DeviceStandby DeviceType Digest DirectOnly Ed25519PrivateKeyFile Ed25519PublicKey Ed25519PublicKeyFile ExperimentalProtocol Forwarding GraphDumpFile Hostnames IffOneQueue IndirectData Interface KeyExpire ListenAddress LocalDiscovery MACExpire MACLength MaxOutputBufferSize MaxTimeout Mode Name PMTU PMTUDiscovery PingInterval PingTimeout Port PriorityInheritance PrivateKeyFile ProcessPriority Proxy PublicKeyFile ReplayWindow StrictSubnets Subnet TCPOnly TunnelServer UDPRcvBuf UDPSndBuf VDEGroup VDEPort Weight"
confvars="Address AddressFamily BindToAddress BindToInterface Broadcast BroadcastSubnet Cipher ClampMSS Compression ConnectTo DecrementTTL Device DeviceStandby DeviceType Digest DirectOnly Ed25519PrivateKeyFile Ed25519PublicKey Ed25519PublicKeyFile ExperimentalProtocol Forwarding GraphDumpFile Hostnames IffOneQueue IndirectData Interface KeyExpire ListenAddress LocalDiscovery MACExpire MACLength MaxOutputBufferSize MaxTimeout Mode Name PMTU PMTUDiscovery PingInterval PingTimeout Port PriorityInheritance PrivateKeyFile ProcessPriority Proxy PublicKeyFile ReplayWindow StrictSubnets Subnet TCPOnly TunnelServer UDPDiscovery UDPDiscoveryInterval UDPDiscoveryTimeout UDPRcvBuf UDPSndBuf VDEGroup VDEPort Weight"
commands="add connect debug del disconnect dump edit export export-all generate-ed25519-keys generate-keys generate-rsa-keys get help import info init invite join log network pcap pid purge reload restart retry set start stop top version"
case ${prev} in

View file

@ -485,6 +485,18 @@ and will only allow connections with nodes for which host config files are prese
.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
directory.
Setting this options also implicitly sets StrictSubnets.
.It Va UDPDiscovery Li = yes | no Po yes Pc
When this option is enabled tinc will try to establish UDP connectivity to nodes,
using TCP while it determines if a node is reachable over UDP. If it is disabled,
tinc always assumes a node is reachable over UDP.
Note that tinc will never use UDP with nodes that have
.Va TCPOnly
enabled.
.It Va UDPDiscoveryInterval Li = Ar seconds Pq 9
The minimum amount of time between sending UDP ping datagrams to test UDP connectivity.
.It Va UDPDiscoveryTimeout Li = Ar seconds Pq 30
If tinc doesn't receive any UDP ping replies over the specified interval,
it will assume UDP communication is broken and will fall back to TCP.
.It Va UDPRcvBuf Li = Ar bytes Pq OS default
Sets the socket receive buffer size for the UDP socket, in bytes.
If unset, the default buffer size will be used by the operating system.

View file

@ -1232,6 +1232,22 @@ and will only allow connections with nodes for which host config files are prese
@file{@value{sysconfdir}/tinc/@var{netname}/hosts/} directory.
Setting this options also implicitly sets StrictSubnets.
@cindex UDPDiscovey
@item UDPDiscovery = <yes|no> (yes)
When this option is enabled tinc will try to establish UDP connectivity to nodes,
using TCP while it determines if a node is reachable over UDP. If it is disabled,
tinc always assumes a node is reachable over UDP.
Note that tinc will never use UDP with nodes that have TCPOnly enabled.
@cindex UDPDiscoveryInterval
@item UDPDiscoveryInterval = <seconds> (9)
The minimum amount of time between sending UDP ping datagrams to test UDP connectivity.
@cindex UDPDiscoveryTimeout
@item UDPDiscoveryTimeout = <seconds> (30)
If tinc doesn't receive any UDP ping replies over the specified interval,
it will assume UDP communication is broken and will fall back to TCP.
@cindex UDPRcvBuf
@item UDPRcvBuf = <bytes> (OS default)
Sets the socket receive buffer size for the UDP socket, in bytes.

View file

@ -241,6 +241,7 @@ static void check_reachability(void) {
n->minmtu = 0;
n->mtuprobes = 0;
timeout_del(&n->udp_ping_timeout);
timeout_del(&n->mtutimeout);
char *name;

View file

@ -138,6 +138,10 @@ extern int addressfamily;
extern unsigned replaywin;
extern bool localdiscovery;
extern bool udp_discovery;
extern int udp_discovery_interval;
extern int udp_discovery_timeout;
extern listen_socket_t listen_socket[MAXSOCKETS];
extern int listen_sockets;
extern io_t unix_socket;

View file

@ -59,10 +59,13 @@ static void send_udppacket(node_t *, vpn_packet_t *);
unsigned replaywin = 16;
bool localdiscovery = true;
bool udp_discovery = true;
int udp_discovery_interval = 9;
int udp_discovery_timeout = 30;
#define MAX_SEQNO 1073741824
static void send_mtu_probe_packet(node_t *n, int len) {
static void send_udp_probe_packet(node_t *n, int len) {
vpn_packet_t packet;
packet.offset = DEFAULT_PACKET_OFFSET;
memset(DATA(&packet), 0, 14);
@ -70,7 +73,7 @@ static void send_mtu_probe_packet(node_t *n, int len) {
packet.len = len;
packet.priority = 0;
logger(DEBUG_TRAFFIC, LOG_INFO, "Sending MTU probe length %d to %s (%s)", len, n->name, n->hostname);
logger(DEBUG_TRAFFIC, LOG_INFO, "Sending UDP probe length %d to %s (%s)", len, n->name, n->hostname);
send_udppacket(n, &packet);
}
@ -131,7 +134,7 @@ static void send_mtu_probe_handler(void *data) {
/* After the initial discovery, a fourth packet is added to each batch with a
size larger than the currently known PMTU, to test if the PMTU has increased. */
if (n->mtuprobes >= 30 && n->maxmtu + 8 < MTU)
send_mtu_probe_packet(n, n->maxmtu + 8);
send_udp_probe_packet(n, n->maxmtu + 8);
/* Probes are sent in batches of three, with random sizes between the
lower and upper boundaries for the MTU thus far discovered. */
@ -140,14 +143,14 @@ static void send_mtu_probe_handler(void *data) {
if(n->minmtu < n->maxmtu)
len = n->minmtu + 1 + rand() % (n->maxmtu - n->minmtu);
send_mtu_probe_packet(n, MAX(len, 64));
send_udp_probe_packet(n, MAX(len, 64));
}
/* In case local discovery is enabled, another packet is added to each batch,
which will be broadcast to the local network. */
if(localdiscovery && n->mtuprobes <= 10 && n->prevedge) {
n->status.send_locally = true;
send_mtu_probe_packet(n, 16);
send_udp_probe_packet(n, 16);
n->status.send_locally = false;
}
@ -175,9 +178,21 @@ void send_mtu_probe(node_t *n) {
send_mtu_probe_handler(n);
}
static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
static void udp_probe_timeout_handler(void *data) {
node_t *n = data;
if(!n->status.udp_confirmed)
return;
logger(DEBUG_TRAFFIC, LOG_INFO, "Too much time has elapsed since last UDP ping response from %s (%s), stopping UDP communication", n->name, n->hostname);
n->status.udp_confirmed = false;
n->mtuprobes = 1;
n->minmtu = 0;
n->maxmtu = MTU;
}
static void udp_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
if(!DATA(packet)[0]) {
logger(DEBUG_TRAFFIC, LOG_INFO, "Got MTU probe request %d from %s (%s)", packet->len, n->name, n->hostname);
logger(DEBUG_TRAFFIC, LOG_INFO, "Got UDP probe request %d from %s (%s)", packet->len, n->name, n->hostname);
/* It's a probe request, send back a reply */
@ -207,19 +222,23 @@ static void mtu_probe_h(node_t *n, vpn_packet_t *packet, length_t len) {
length_t probelen = len;
if (DATA(packet)[0] == 2) {
if (len < 3)
logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) MTU probe reply from %s (%s)", n->name, n->hostname);
logger(DEBUG_TRAFFIC, LOG_WARNING, "Received invalid (too short) UDP probe reply from %s (%s)", n->name, n->hostname);
else {
uint16_t probelen16; memcpy(&probelen16, DATA(packet) + 1, 2); probelen = ntohs(probelen16);
}
}
logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d MTU probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
logger(DEBUG_TRAFFIC, LOG_INFO, "Got type %d UDP probe reply %d from %s (%s)", DATA(packet)[0], probelen, n->name, n->hostname);
/* It's a valid reply: now we know bidirectional communication
is possible using the address and socket that the reply
packet used. */
n->status.udp_confirmed = true;
if(udp_discovery) {
timeout_del(&n->udp_ping_timeout);
timeout_add(&n->udp_ping_timeout, &udp_probe_timeout_handler, n, &(struct timeval){udp_discovery_timeout, 0});
}
/* If we haven't established the PMTU yet, restart the discovery process. */
if(n->mtuprobes > 30) {
@ -493,7 +512,7 @@ static bool receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
inpkt->priority = 0;
if(!DATA(inpkt)[12] && !DATA(inpkt)[13])
mtu_probe_h(n, inpkt, origlen);
udp_probe_h(n, inpkt, origlen);
else
receive_packet(n, inpkt);
return true;
@ -860,7 +879,7 @@ bool receive_sptps_record(void *handle, uint8_t type, const void *data, uint16_t
if(type == PKT_PROBE) {
inpkt.len = len;
memcpy(DATA(&inpkt), data, len);
mtu_probe_h(from, &inpkt, len);
udp_probe_h(from, &inpkt, len);
return true;
}
@ -935,6 +954,24 @@ static void try_sptps(node_t *n) {
return;
}
// This function tries to establish a UDP tunnel to a node so that packets can be sent.
// If a tunnel is already established, it makes sure it stays up.
// This function makes no guarantees - it is up to the caller to check the node's state to figure out if UDP is usable.
static void try_udp(node_t* n) {
if(!udp_discovery)
return;
struct timeval now;
gettimeofday(&now, NULL);
struct timeval ping_tx_elapsed;
timersub(&now, &n->udp_ping_sent, &ping_tx_elapsed);
if(ping_tx_elapsed.tv_sec >= udp_discovery_interval) {
send_udp_probe_packet(n, MAX(n->minmtu, 16));
n->udp_ping_sent = now;
}
}
// This function tries to establish a tunnel to a node (or its relay) so that packets can be sent (e.g. get SPTPS keys).
// If a tunnel is already established, it tries to improve it (e.g. by trying to establish a UDP tunnel instead of TCP).
// This function makes no guarantees - it is up to the caller to check the node's state to figure out if TCP and/or UDP is usable.
@ -958,7 +995,8 @@ static void try_tx(node_t *n) {
if(!n->status.sptps && !via->status.validkey && via->last_req_key + 10 <= now.tv_sec) {
send_req_key(via);
via->last_req_key = now.tv_sec;
}
} else if(via == n || !n->status.sptps || (via->options >> 24) >= 4)
try_udp(via);
/* If we don't know how to reach "via" yet, then try to reach it through a relay. */
if(n->status.sptps && !via->status.udp_confirmed && via->nexthop != via && (via->nexthop->options >> 24) >= 4)

View file

@ -510,6 +510,10 @@ bool setup_myself_reloadable(void) {
if(myself->options & OPTION_TCPONLY)
myself->options |= OPTION_INDIRECT;
get_config_bool(lookup_config(config_tree, "UDPDiscovery"), &udp_discovery);
get_config_int(lookup_config(config_tree, "UDPDiscoveryInterval"), &udp_discovery_interval);
get_config_int(lookup_config(config_tree, "UDPDiscoveryTimeout"), &udp_discovery_timeout);
get_config_bool(lookup_config(config_tree, "DirectOnly"), &directonly);
get_config_bool(lookup_config(config_tree, "LocalDiscovery"), &localdiscovery);

View file

@ -92,6 +92,7 @@ void free_node(node_t *n) {
ecdsa_free(n->ecdsa);
sptps_stop(&n->sptps);
timeout_del(&n->udp_ping_timeout);
timeout_del(&n->mtutimeout);
if(n->hostname)

View file

@ -87,6 +87,9 @@ typedef struct node_t {
uint32_t farfuture; /* Packets in a row that have arrived from the far future */
unsigned char* late; /* Bitfield marking late packets */
struct timeval udp_ping_sent; /* Last time a ping probe was sent */
timeout_t udp_ping_timeout; /* Ping timeout event */
length_t mtu; /* Maximum size of packets to send to this node */
length_t minmtu; /* Probed minimum MTU */
length_t maxmtu; /* Probed maximum MTU */

View file

@ -1364,6 +1364,9 @@ const var_t variables[] = {
{"ScriptsInterpreter", VAR_SERVER},
{"StrictSubnets", VAR_SERVER},
{"TunnelServer", VAR_SERVER},
{"UDPDiscovery", VAR_SERVER},
{"UDPDiscoveryInterval", VAR_SERVER},
{"UDPDiscoveryTimeout", VAR_SERVER},
{"UDPRcvBuf", VAR_SERVER},
{"UDPSndBuf", VAR_SERVER},
{"VDEGroup", VAR_SERVER},