Commit graph

169 commits

Author SHA1 Message Date
Etienne Dechamps
76a9be5bce Throttle the rate of MTU_INFO messages.
This makes sure MTU_INFO messages are only sent at the maximum rate of
5 per second (by default). As usual with these "probe" mechanisms, the
rate of these messages cannot be higher than the rate of data packets
themselves, since they are sent from the RX path.
2015-03-14 13:39:05 +00:00
Etienne Dechamps
467397f25d Throttle the rate of UDP_INFO messages.
This makes sure UDP_INFO messages are only sent at the maximum rate of
5 per second (by default). As usual with these "probe" mechanisms, the
rate of these messages cannot be higher than the rate of data packets
themselves, since they are sent from the RX path.
2015-03-14 13:39:05 +00:00
Guus Sliepen
eb7a0db18e Always keep UDP mappings alive for nodes that also have a meta-connection.
This is necessary for assisting with UDP hole punching. But we don't
need to know the PMTU for this, so only send UDP probes.
2015-01-11 13:31:01 +01:00
Etienne Dechamps
07108117ce Use a different UDP discovery interval if the tunnel is established.
This introduces a new configuration option,
UDPDiscoveryKeepaliveInterval, which is used as the UDP discovery
interval once the UDP tunnel is established. The pre-existing option,
UDPDiscoveryInterval, is therefore only used before UDP connectivity
is established.

The defaults are set so that tinc sends UDP pings more aggressively
if the tunnel is not established yet. This is appropriate since the
size of probes in that scenario is very small (16 bytes).
2015-01-03 10:12:36 +00:00
Etienne Dechamps
98716a227e Move PMTU discovery code into the TX path.
Currently, the PMTU discovery code is run by a timeout callback,
independently of tunnel activity. This commit moves it into the TX
path, meaning that send_mtu_probe_handler() is only called if a
packet is about to be sent. Consequently, it has been renamed to
try_mtu() for consistency with try_tx(), try_udp() and try_sptps().

Running PMTU discovery code only as part of the TX path prevents
PMTU discovery from generating unreasonable amounts of traffic when
the "real" traffic is negligible. One extreme example is sending one
real packet and then going silent: in the current code this one little
packet will result in the entire PMTU discovery algorithm being run
from start to finish, resulting in absurd write traffic amplification.
With this patch, PMTU discovery stops as soon as "real" packets stop
flowing, and will be no more aggressive than the underlying traffic.

Furthermore, try_mtu() only runs if there is confirmed UDP
connectivity as per the UDP discovery mechanism. This prevents
unnecessary network chatter - previously, the PMTU discovery code
would send bursts of (potentially large) probe packets every second
even if there was nothing on the other side. With this patch, the
PMTU code only does that if something replied to the lightweight UDP
discovery pings.

These inefficiencies were made even worse when the node is not a
direct neighbour, as tinc will use PMTU discovery both on the
destination node *and* the relay. UDP discovery is more lightweight for
this purpose.

As a bonus, this code simplifies overall code somewhat - state is
easier to manage when code is run in predictable contexts as opposed
to "surprise callbacks". In addition, there is no need to call PMTU
discovery code outside of net_packet.c anymore, thereby simplifying
module boundaries.
2015-01-01 17:40:15 +00:00
Etienne Dechamps
7939ee1283 Add UDP discovery mechanism.
This adds a new mechanism by which tinc can determine if a node is
reachable via UDP. The new mechanism is currently redundant with the
PMTU discovery mechanism - that will be fixed in a future commit.

Conceptually, the UDP discovery mechanism works similarly to PMTU
discovery: it sends UDP probes (of minmtu size, to make sure the tunnel
is fully usable), and assumes UDP is usable if it gets replies. It
assumes UDP is broken if too much time has passed since the last reply.

The big difference with the current PMTU discovery mechanism, however,
is that UDP discovery probes are only triggered as part of the
packet TX path (through try_tx()). This is quite interesting, because
it means tinc will never send UDP pings more often than normal packets,
and most importantly, it will automatically stop sending pings as soon
as packets stop flowing, thereby nicely reducing network chatter.

Of course, there are small drawbacks in some edge cases: for example,
if a node only sends one packet every minute to another node, these
packets will only be sent over TCP, because the interval between packets
is too long for tinc to maintain the UDP tunnel. I consider this a
feature, not a bug: I believe it is appropriate to use TCP in scenarios
where traffic is negligible, so that we don't pollute the network with
pings just to maintain a UDP tunnel that's seeing negligible usage.
2015-01-01 17:40:15 +00:00
Guus Sliepen
6b92ac505d Add a variable offset to vpn_packet_t, drop sptps_packet_t.
The offset value indicates where the actual payload starts, so we can
process both legacy and SPTPS UDP packets without having to do casting
tricks and/or moving memory around.
2014-12-25 00:36:27 +01:00
Guus Sliepen
107d9c7da5 Use void pointers for opaque data blobs in the SPTPS code. 2014-12-24 22:15:40 +01:00
Guus Sliepen
263d990382 Avoid memmove() for legacy UDP packets. 2014-12-08 00:44:38 +01:00
Etienne Dechamps
111040d7d1 Add UDP datagram relay support to SPTPS.
This commit changes the layout of UDP datagrams to include a 6-byte
destination node ID at the very beginning of the datagram (i.e. before
the source node ID and the seqno). Note that this only applies to SPTPS.

Thanks to this new field, it is now possible to send SPTPS datagrams to
nodes that are not the final recipient of the packets, thereby using
these nodes as relay nodes. Previously SPTPS was unable to relay packets
using UDP, and required a fallback to TCP if the final recipient could
not be contacted directly using UDP. In that sense it fixes a regression
that SPTPS introduced with regard to the legacy protocol.

This change also updates tinc's low-level routing logic (i.e.
send_sptps_data()) to automatically use this relaying facility if at all
possible. Specifically, it will relay packets if we don't have a
confirmed UDP link to the final recipient (but we have one with the next
hop node), or if IndirectData is specified. This is similar to how the
legacy protocol forwards packets.

When sending packets directly without any relaying, the sender node uses
a special value for the destination node ID: instead of setting the
field to the ID of the recipient node, it writes a zero ID instead. This
allows the recipient node to distinguish between a relayed packet and a
direct packet, which is important when determining the UDP address of
the sending node.

On the relay side, relay nodes will happily relay packets that have a
destination ID which is non-zero *and* is different from their own,
provided that the source IP address of the packet is known. This is to
prevent abuse by random strangers, since a node can't authenticate the
packets that are being relayed through it.

This change keeps the protocol number from the previous datagram format
change (source IDs), 17.4. Compatibility is still preserved with 1.0 and
with pre-1.1 releases. Note, however, that nodes running this code won't
understand datagrams sent from nodes that only use source IDs and
vice-versa (not that we really care).

There is one caveat: in the current state, there is no way for the
original sender to know what the PMTU is beyond the first hop, and
contrary to the legacy protocol, relay nodes can't apply MSS clamping
because they can't decrypt the relayed packets. This leads to
inefficient scenarios where a reduced PMTU over some link that's part of
the relay path will result in relays falling back to TCP to send packets
to their final destinations.

Another caveat is that once a packet gets sent over TCP, it will use
TCP over the entire path, even if it is technically possible to use UDP
beyond the TCP-only link(s).

Arguably, these two caveats can be fixed by improving the
metaconnection protocol, but that's out of scope for this change. TODOs
are added instead. In any case, this is no worse than before.

In addition, this change increases SPTPS datagram overhead by another
6 bytes for the destination ID, on top of the existing 6-byte overhead
from the source ID.
2014-10-04 14:37:15 +01:00
Etienne Dechamps
8dd1c8a020 Prepend source node ID information to UDP datagrams.
This commit changes the layout of UDP datagrams to include the 6-byte ID
(i.e. node name hash) of the node that crafted the packet at the very
beginning of the datagram (i.e. before the seqno). Note that this only
applies to SPTPS.

This is implemented at the lowest layer, i.e. in
handle_incoming_vpn_data() and send_sptps_data() functions. Source ID is
added and removed there, in such a way that the upper layers are unaware
of its presence.

This is the first stepping stone towards supporting UDP relaying in
SPTPS, by providing information about the original sender in the packet
itself. Nevertheless, even without relaying this commit already provides
a few benefits such as being able to reliably determine the source node
of a packet in the presence of an unknown source IP address, without
having to painfully go through all node keys. This makes tinc's behavior
much more scalable in this regard.

This change does not break anything with regard to the protocol: It
preserves compatibility with 1.0 and even with older pre-1.1 releases
thanks to a minor protocol version change (17.4). Source ID information
won't be included in packets sent to nodes with minor version < 4.

One drawback, however, is that this change increases SPTPS datagram
overhead by 6 bytes (the size of the source ID itself).
2014-10-04 11:21:44 +01:00
Etienne Dechamps
092d620dbb Change vpn_packet_t::seqno from uint32_t to uint8_t[4].
This is to make sure on-wire vpn_packet_t fields are always 1-byte
aligned, otherwise padding could get in the way.
2014-10-04 11:21:38 +01:00
Etienne Dechamps
55a78da4e0 Introduce node IDs.
This introduces a new type of identifier for nodes, which complements
node names: node IDs. Node IDs are defined as the first 6 bytes of the
SHA-256 hash of the node name. They will be used in future code in lieu
of node names as unique node identifiers in contexts where space is at
a premium (such as VPN packets).

The semantics of node IDs is that they are supposed to be unique in a
tinc graph; i.e. two different nodes that are part of the same graph
should not have the same ID, otherwise things could break. This
solution provides this guarantee based on realistic probabilities:
indeed, according to the birthday problem, with a 48-bit hash, the
probability of at least one collision is 1e-13 with 10 nodes, 1e-11
with 100 nodes, 1e-9 with 1000 nodes and 1e-7 with 10000 nodes. Things
only start getting hairy with more than 1 million nodes, as the
probability gets over 0.2%.
2014-10-04 11:13:59 +01:00
Etienne Dechamps
4159108971 Remove broadcast-based local discovery mechanism.
The new local address based local discovery mechanism is technically
superior to the old broadcast-based one. In fact, the old algorithm
can technically make things worse by e.g. sending broadcasts over the
VPN itself and then selecting the VPN address as the node's UDP
address. This cannot happen with the new mechanism.

Note that this means old nodes that don't send their local addresses in
ADD_EDGE messages can't be discovered, because there is no address to
send discovery packets to. Old nodes can still discover new nodes by
sending them broadcasts, though.
2014-06-29 11:24:36 +01:00
Etienne Dechamps
313a752cb5 Remove the TAP-Win32 reader thread.
tinc is using a separate thread to read from the TAP device on Windows.
The rationale was that the notification mechanism for packets arriving
on the virtual network device is based on Win32 events, and the event
loop did not support listening to these events.

Thanks to recent improvements, this event loop limitation has been
lifted. Therefore we can get rid of the separate thread and simply add
the Win32 "incoming packet" event to the event loop, just like a socket.
The result is cleaner code that's easier to reason about.
2014-06-28 20:00:05 +01:00
Etienne Dechamps
bd451cfe15 Add DeviceStandby option to only enable the device when nodes are reachable.
This adds a new DeviceStandby option; when it is disabled (the default),
behavior is unchanged. If it is enabled, tinc-up will not be called during
tinc initialization, but will instead be deferred until the first node is
reachable, and it will be closed as soon as no nodes are reachable.

This is useful because it means the device won't be set up until we are fairly
sure there is something listening on the other side. This is more user-friendly,
as one can check on the status of the tinc network connection just by checking
the status of the network interface. Besides, it prevents the OS from thinking
it is connected to some network when it is in fact completely isolated.
2014-06-22 15:04:15 +01:00
Guus Sliepen
332b55d472 Change AutoConnect from int to bool.
The proper value is 3, not 2 or 4, and 5 is right out. So just hardcode this value,
and only have the option to turn AutoConnect on or off.
2014-05-06 14:11:55 +02:00
Guus Sliepen
06a4a8c153 Update copyright notices. 2014-02-07 20:38:48 +01:00
Guus Sliepen
38adc8bf54 Add the ListenAddress option.
ListenAddress works the same as BindToAddress, except that from now on,
explicitly binding outgoing packets to the address of a socket is only done for
sockets specified with BindToAddress.
2014-01-20 21:19:13 +01:00
Guus Sliepen
24e3ec863e Add connection rate limiting.
Tinc now strictly limits incoming connections from the same host to 1 per
second. For incoming connections from multiple hosts short bursts of incoming
connections are allowed (by default 100), but on average also only 1 connection
per second is allowed.

When an incoming connection exceeds the limit, tinc will keep the connection in
a tarpit; the connection will be kept open but it is ignored completely. Only
one connection is in a tarpit at a time to limit the number of useless open
connections.
2013-07-11 23:38:38 +02:00
Guus Sliepen
b811e980e3 Add the LocalDiscoveryAddress option.
When LocalDiscovery is enabled, tinc normally sends broadcast packets during
PMTU discovery to the broadcast address (255.255.255.255 or ff02::1). This
option lets tinc use a different address.

At the moment only one LocalDiscoveryAddress can be specified.
2013-05-31 18:50:34 +02:00
Guus Sliepen
258bf7ea0f Drop packets forwarded via TCP if they are too big (CVE-2013-1428).
Normally all requests sent via the meta connections are checked so that they
cannot be larger than the input buffer. However, when packets are forwarded via
meta connections, they are copied into a packet buffer without checking whether
it fits into it. Since the packet buffer is allocated on the stack, this in
effect allows an authenticated remote node to cause a stack overflow.

This issue was found by Martin Schobert.
2013-04-22 15:53:45 +02:00
Guus Sliepen
cc3c69c892 Releasing 1.1pre5. 2013-01-20 21:03:22 +01:00
Guus Sliepen
94587264bd Allow connections via UNIX sockets.
This is mainly useful for control connections. The client must still present
the control cookie from the PID file.
2013-01-17 18:12:55 +01:00
Guus Sliepen
6bc5d626a8 Drop libevent and use our own event handling again.
There are several reasons for this:

- MacOS/X doesn't support polling the tap device using kqueue, requiring a
  workaround to fall back to select().
- On Windows only sockets are properly handled, therefore tinc uses a second
  thread that does a blocking ReadFile() on the TAP-Win32/64 device. However,
  this does not mix well with libevent.
- Libevent, event just the core, is quite large, and although it is easy to get
  and install on many platforms, it can be a burden.
- Libev is more lightweight and seems technically superior, but it doesn't
  abstract away all the platform differences (for example, async events are not
  supported on Windows).
2012-11-29 12:28:23 +01:00
Guus Sliepen
717ea66d7b Add the AutoConnect option.
When set to a non-zero value, tinc will try to maintain exactly that number of
meta connections to other nodes.  If there are not enough connections, it will
periodically try to set up an outgoing connection to a random node.  If there
are too many connections, it will periodically try to remove an outgoing
connection.
2012-10-21 17:35:13 +02:00
Guus Sliepen
d917c8cb6b Fix whitespace. 2012-10-10 17:17:49 +02:00
Guus Sliepen
ce059e36fd Refactor outgoing connection handling.
Struct outgoing_ts and connection_ts were depending too much on each other,
causing lots of problems, especially the reuse of a connection_t. Now, whenever
a connection is closed it is immediately removed from the list of connections
and destroyed.
2012-10-07 21:02:40 +02:00
Guus Sliepen
d93a37928b Fix warnings from cppcheck. 2012-10-07 17:53:23 +02:00
Guus Sliepen
b381acd60d Remove unused function declaration. 2012-09-30 23:12:43 +02:00
Guus Sliepen
c5325ffdd1 Correctly add/remove outgoing connections when reloading configuration. 2012-09-28 17:05:01 +02:00
Guus Sliepen
153abaa4d9 Use datagram SPTPS for packet exchange between nodes.
When two nodes which support SPTPS want to send packets to each other, they now
always use SPTPS. The node initiating the SPTPS session send the first SPTPS
packet via an extended REQ_KEY messages. All other handshake messages are sent
using ANS_KEY messages. This ensures that intermediate nodes using an older
version of tinc can still help with NAT traversal. After the authentication
phase is over, SPTPS packets are sent via UDP, or are encapsulated in extended
REQ_KEY messages instead of PACKET messages.
2012-07-30 18:36:59 +02:00
Guus Sliepen
c678e7c4fb Split setup_myself() into two functions, one for reloading configuration. 2012-07-20 19:59:47 +02:00
Guus Sliepen
19be9cf715 Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	NEWS
	README
	configure.in
	lib/utils.c
	src/linux/device.c
	src/meta.c
	src/net.h
	src/net_setup.c
	src/net_socket.c
	src/protocol.c
	src/protocol_auth.c
	src/tincd.c
2012-06-26 13:24:20 +02:00
Guus Sliepen
b58d95eb29 Add basic support for SOCKS 4 and HTTP CONNECT proxies.
When the Proxy option is used, outgoing connections will be made via the
specified proxy. There is no support for authentication methods or for having
the proxy forward incoming connections, and there is no attempt to proxy UDP.
2012-04-18 23:19:40 +02:00
Guus Sliepen
535a55100b Allow environment variables to be used for Name.
When the Name starts with a $, the rest will be interpreted as the name of an
environment variable containing the real Name. When Name is $HOST, but this
environment variable does not exist, gethostname() will be used to set the
Name. In both cases, illegal characters will be converted to underscores.
2012-03-29 16:45:25 +01:00
Guus Sliepen
86c2990327 Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	NEWS
	README
	configure.in
	src/Makefile.am
	src/conf.c
	src/conf.h
	src/connection.c
	src/net.c
	src/tincd.c
2012-03-25 23:35:31 +01:00
Guus Sliepen
4712d8f92e Update copyright notices. 2012-03-10 13:23:08 +01:00
Guus Sliepen
f5dc136cfd Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	src/net.c
	src/net_packet.c
	src/net_socket.c
2012-02-23 13:26:01 +01:00
Guus Sliepen
5a28aa7b8b Add LocalDiscovery option which tries to detect peers on the local network.
Currently, this is implemented by sending IPv4 broadcast packets to the
LAN during path MTU discovery.
2012-02-22 23:17:43 +01:00
Guus Sliepen
cff27a258f Use ECDSA to sign ECDH key exchange for UDP session keys.
The ECDSA public keys will also be included in the ANS_KEY requests,
but are only used when no ECDSA public key is known yet.
2011-07-16 20:21:44 +02:00
Guus Sliepen
210b5ceeee Read ECDSA keys. 2011-07-07 22:28:25 +02:00
Guus Sliepen
33f241d978 Merge branch 'master' of git://tinc-vpn.org/tinc into 1.1
Conflicts:
	NEWS
	configure.in
	doc/tincd.8.in
	lib/pidfile.c
	lib/pidfile.h
	lib/xalloc.h
	lib/xmalloc.c
	src/conf.c
	src/conf.h
	src/connection.c
	src/connection.h
	src/event.c
	src/graph.c
	src/graph.h
	src/net.c
	src/net.h
	src/node.h
	src/openssl/crypto.c
	src/process.c
	src/protocol.c
	src/protocol_key.c
	src/route.c
2011-06-06 20:42:15 +02:00
Sven-Haegar Koch
04de15984f do_outgoing_connection() may delete a failed connection, and the structure
must not be accessed afterwards.
2011-05-29 22:05:14 +02:00
Guus Sliepen
6d08eb1614 Fix sparse warnings and add an extra sprinkling of const.
This is more or less the equivalent of Sven-Haegar Koch's fixes in the 1.1
branch.
2011-05-28 23:36:52 +02:00
Guus Sliepen
f5843e7d64 Add per-node traffic counters. 2011-05-15 00:42:29 +02:00
Guus Sliepen
886a6f61a1 Merge branch 'master' into 1.1
Conflicts:
	src/net_packet.c
	src/openssl/rsagen.h
	src/protocol_auth.c
	src/protocol_key.c
2010-11-19 12:22:48 +00:00
Brandon L Black
23acc19bc0 Configurable ReplayWindow size, zero disables 2010-11-13 21:25:46 +01:00
Brandon L Black
8dfe1b374e Configurable SO_RCVBUF/SO_SNDBUF for the UDP socket 2010-11-13 21:25:44 +01:00
Guus Sliepen
a22041922f Merge branch 'master' into 1.1
Conflicts:
	doc/tincd.8.in
	lib/pidfile.c
	src/graph.c
	src/net.c
	src/net.h
	src/net_packet.c
	src/net_setup.c
	src/net_socket.c
	src/netutl.c
	src/node.c
	src/node.h
	src/protocol_auth.c
	src/protocol_key.c
	src/tincd.c
2010-11-12 16:15:29 +01:00