[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 03897) Re: Binding Update Messages not routed
- To: <usagi-users@xxxxxxxxxxxxxx>
- Subject: (usagi-users 03897) Re: Binding Update Messages not routed
- From: "Kohn, Rodolfo" <rodolfo.kohn@xxxxxxxxx>
- Date: Thu, 19 Jul 2007 07:23:27 -0700
- In-reply-to: <12982123405724458280C4FD3FF9C08B030BFD65@fmsmsx418.amr.corp.intel.com>
- Reply-to: usagi-users@xxxxxxxxxxxxxx
- Thread-index: Ace/jCJc/l11HopjRWKKvHYVGZZnEwDvuFyQAbEokLA=
- Thread-topic: (usagi-users 03876) Re: Binding Update Messages not routed
Hi Shinta,
Regarding the problem you were helping me to solve, I would like to
publish the real solution. It was a problem with netfilter.
I removed all ip6tables rules in all my nodes (MN, router, HA):
ip6tables -F
Later I should review the policies in a fine grain way (not just remove
them) for the sake of security.
Thanks,
Rodolfo.
>-----Original Message-----
>From: Kohn, Rodolfo [mailto:rodolfo.kohn@xxxxxxxxx]
>Sent: Wednesday, July 11, 2007 1:00 PM
>To: usagi-users@xxxxxxxxxxxxxx
>Subject: (usagi-users 03876) Re: Binding Update Messages not routed
>
>Hi Shinta,
>
>I finally solved the problem. I forgot to write 1 to
>/proc/sys/net/ipv6/conf/all/forwarding
>
>I don't know if I have to write 1 to
>/proc/sys/net/ipv4/ip_forward
>but I also did it.
>
>Now I have a problem with the HA IPv6 address configuration but that's
a
>topic for another thread.
>
>Thanks,
>Rodolfo.
>
>
>
>
>
>
>
>>-----Original Message-----
>>From: Shinta Sugimoto [mailto:shinta@xxxxxxxxxxxxxx]
>>Sent: Friday, July 06, 2007 1:42 AM
>>To: usagi-users@xxxxxxxxxxxxxx
>>Subject: (usagi-users 03873) Re: Binding Update Messages not routed
>>
>>Hi Rodolfo,
>>
>>I checked your packet capture and also the MN configuration file.
>>The BU message as well as the configuration file look just fine.
>>
>>> The weird thing is that if I stop the MN and HA MIPv6 daemons, in
the
>>> corresponding nodes, and then I send a ping6 from the "MN" node to
>the
>>> node that would be the HA, it runs all right.
>>
>>Ok.
>>
>>> Maybe, I'm having a problem with tunneling in the router?
>>
>>I am not sure what you mean by "a problem with tunneling in
>>the router"? I cannot find any relation to "tunneling" from
>>your report but maybe I am missing some information.
>>It seems that the router just cannot forward the packet
>>(the BU message) for some reason, maybe due to the netfilter
>>settings, and sends back an IMCPv6 message to the sender.
>>Can you check the netfilter configuration at your router?
>>
>>
>>Regards,
>>Shinta
>>
>>On Thu, 5 Jul 2007 12:21:46 -0700
>>"Kohn, Rodolfo" <rodolfo.kohn@xxxxxxxxx> wrote:
>>
>>> Hi Shinta,
>>>
>>> I agree with you, the problem seems to be something different than
>>> MIPv6.
>>> There is something in the router, I think it is related to the
>netfilter
>>> operation that is dropping (rejecting) the package and sending the
>>> "address unreachable".
>>>
>>> Internet Control Message Protocol v6 type and code:
>>> Type: 1 (Unreachable)
>>> Code: 3 (Address unreachable)
>>>
>>> I'm looking at the kernel code, I know at some point function
>>> "reject6_target", in file ip6t_REJECT.c, is called but I haven't
>found
>>> the root cause yet.
>>>
>>> The weird thing is that if I stop the MN and HA MIPv6 daemons, in
the
>>> corresponding nodes, and then I send a ping6 from the "MN" node to
>the
>>> node that would be the HA, it runs all right.
>>> Maybe, I'm having a problem with tunneling in the router?
>>>
>>>
>>> Here I'm sending the Ethereal output of the two messages (BU and
ICMP
>>> Address Unreachable).
>>>
>>> No. Time Source Destination
>Protocol
>>> Info
>>> 3 8.558770 3ffe:2621:6:1:20c:29ff:fe3e:42ad
3ffe:2620:6:1::1
>>> MIPv6 Binding Update
>>>
>>> Frame 3 (110 bytes on wire, 110 bytes captured)
>>> Arrival Time: Jun 18, 2007 19:39:22.511948000
>>> Time delta from previous packet: 2.478611000 seconds
>>> Time since reference or first frame: 8.558770000 seconds
>>> Frame Number: 3
>>> Packet Length: 110 bytes
>>> Capture Length: 110 bytes
>>> Protocols in frame: eth:ipv6:mipv6
>>> Ethernet II, Src: Vmware_3e:42:ad (00:0c:29:3e:42:ad), Dst:
>>> Vmware_d6:c5:e9 (00:0c:29:d6:c5:e9)
>>> Destination: Vmware_d6:c5:e9 (00:0c:29:d6:c5:e9)
>>> Address: Vmware_d6:c5:e9 (00:0c:29:d6:c5:e9)
>>> .... ...0 .... .... .... .... = Multicast: This is a UNICAST
>>> frame
>>> .... ..0. .... .... .... .... = Locally Administrated
>Address:
>>> This is a FACTORY DEFAULT address
>>> Source: Vmware_3e:42:ad (00:0c:29:3e:42:ad)
>>> Address: Vmware_3e:42:ad (00:0c:29:3e:42:ad)
>>> .... ...0 .... .... .... .... = Multicast: This is a UNICAST
>>> frame
>>> .... ..0. .... .... .... .... = Locally Administrated
>Address:
>>> This is a FACTORY DEFAULT address
>>> Type: IPv6 (0x86dd)
>>> Internet Protocol Version 6
>>> Version: 6
>>> Traffic class: 0x00
>>> Flowlabel: 0x00000
>>> Payload length: 56
>>> Next header: IPv6 destination option (0x3c)
>>> Hop limit: 64
>>> Source address: 3ffe:2621:6:1:20c:29ff:fe3e:42ad
>>> (3ffe:2621:6:1:20c:29ff:fe3e:42ad)
>>> Destination address: 3ffe:2620:6:1::1 (3ffe:2620:6:1::1)
>>> Destination Option Header
>>> Next header: Mobile IPv6 (0x87)
>>> Length: 2 (24 bytes)
>>> PadN: 4 bytes
>>> Option Type: 201 (0xc9) - Home Address Option
>>> Option Length : 16
>>> Home Address : 3ffe:2620:6:1::1234 (3ffe:2620:6:1::1234)
>>> Mobile IPv6 / Network Mobility
>>> Payload protocol: IPv6 no next header (0x3b)
>>> Header length: 3 (32 bytes)
>>> Mobility Header Type: Binding Update (5)
>>> Reserved: 0x00
>>> Checksum: 0x87cc
>>> Binding Update
>>> Sequence number: 49626
>>> 1... .... = Acknowledge (A) flag: Binding Acknowledgement
>>> requested
>>> .1.. .... = Home Registration (H) flag: Home Registration
>>> ..0. .... = Link-Local Compatibility (L) flag: No Link-Local
>>> Address Compatibility
>>> ...0 .... = Key Management Compatibility (K) flag: No Key
>>> Management Mobility Compatibility
>>> .... 0... = Multiple Care of Address (M) flag: No Multiple
>Care
>>> of Address Comaptibility
>>> Lifetime: 65535 (262140 seconds)
>>> Mobility Options
>>> PadN: 2 bytes
>>> Alternate care-of address: 3ffe:2621:6:1:20c:29ff:fe3e:42ad
>>> (3ffe:2621:6:1:20c:29ff:fe3e:42ad)
>>>
>>> No. Time Source Destination
>Protocol
>>> Info
>>> 4 8.558953 3ffe:2621:6:1::5
>>> 3ffe:2621:6:1:20c:29ff:fe3e:42ad ICMPv6 Unreachable (Address
>>> unreachable)
>>>
>>> Frame 4 (158 bytes on wire, 158 bytes captured)
>>> Arrival Time: Jun 18, 2007 19:39:22.512131000
>>> Time delta from previous packet: 0.000183000 seconds
>>> Time since reference or first frame: 8.558953000 seconds
>>> Frame Number: 4
>>> Packet Length: 158 bytes
>>> Capture Length: 158 bytes
>>> Protocols in frame: eth:ipv6:icmpv6:ipv6:mipv6
>>> Ethernet II, Src: Vmware_d6:c5:e9 (00:0c:29:d6:c5:e9), Dst:
>>> Vmware_3e:42:ad (00:0c:29:3e:42:ad)
>>> Destination: Vmware_3e:42:ad (00:0c:29:3e:42:ad)
>>> Address: Vmware_3e:42:ad (00:0c:29:3e:42:ad)
>>> .... ...0 .... .... .... .... = Multicast: This is a UNICAST
>>> frame
>>> .... ..0. .... .... .... .... = Locally Administrated
>Address:
>>> This is a FACTORY DEFAULT address
>>> Source: Vmware_d6:c5:e9 (00:0c:29:d6:c5:e9)
>>> Address: Vmware_d6:c5:e9 (00:0c:29:d6:c5:e9)
>>> .... ...0 .... .... .... .... = Multicast: This is a UNICAST
>>> frame
>>> .... ..0. .... .... .... .... = Locally Administrated
>Address:
>>> This is a FACTORY DEFAULT address
>>> Type: IPv6 (0x86dd)
>>> Internet Protocol Version 6
>>> Version: 6
>>> Traffic class: 0x00
>>> Flowlabel: 0x00000
>>> Payload length: 104
>>> Next header: ICMPv6 (0x3a)
>>> Hop limit: 64
>>> Source address: 3ffe:2621:6:1::5 (3ffe:2621:6:1::5)
>>> Destination address: 3ffe:2621:6:1:20c:29ff:fe3e:42ad
>>> (3ffe:2621:6:1:20c:29ff:fe3e:42ad)
>>> Internet Control Message Protocol v6
>>> Type: 1 (Unreachable)
>>> Code: 3 (Address unreachable)
>>> Checksum: 0x050e [correct]
>>> Internet Protocol Version 6
>>> Version: 6
>>> Traffic class: 0x00
>>> Flowlabel: 0x00000
>>> Payload length: 56
>>> Next header: IPv6 destination option (0x3c)
>>> Hop limit: 63
>>> Source address: 3ffe:2621:6:1:20c:29ff:fe3e:42ad
>>> (3ffe:2621:6:1:20c:29ff:fe3e:42ad)
>>> Destination address: 3ffe:2620:6:1::1 (3ffe:2620:6:1::1)
>>> Destination Option Header
>>> Next header: Mobile IPv6 (0x87)
>>> Length: 2 (24 bytes)
>>> PadN: 4 bytes
>>> Option Type: 201 (0xc9) - Home Address Option
>>> Option Length : 16
>>> Home Address : 3ffe:2620:6:1::1234 (3ffe:2620:6:1::1234)
>>> Mobile IPv6 / Network Mobility
>>> Payload protocol: IPv6 no next header (0x3b)
>>> Header length: 3 (32 bytes)
>>> Mobility Header Type: Binding Update (5)
>>> Reserved: 0x00
>>> Checksum: 0x87cc
>>> Binding Update
>>> Sequence number: 49626
>>> 1... .... = Acknowledge (A) flag: Binding
Acknowledgement
>>> requested
>>> .1.. .... = Home Registration (H) flag: Home
Registration
>>> ..0. .... = Link-Local Compatibility (L) flag: No
>Link-Local
>>> Address Compatibility
>>> ...0 .... = Key Management Compatibility (K) flag: No
Key
>>> Management Mobility Compatibility
>>> .... 0... = Multiple Care of Address (M) flag: No
>Multiple
>>> Care of Address Comaptibility
>>> Lifetime: 65535 (262140 seconds)
>>> Mobility Options
>>> PadN: 2 bytes
>>> Alternate care-of address:
>3ffe:2621:6:1:20c:29ff:fe3e:42ad
>>> (3ffe:2621:6:1:20c:29ff:fe3e:42ad)
>>>
>>>
>>>
>>>
>>> I'm also sending the MN configuration file:
>>>
>>>
>>> # This is an example of mip6d Mobile Node configuration file
>>>
>>> NodeConfig MN;
>>>
>>> ## If set to > 0, will not detach from tty
>>> DebugLevel 10;
>>>
>>> ## Support route optimization with other MNs
>>> DoRouteOptimizationCN enabled;
>>>
>>> ## Use route optimization with CNs
>>> DoRouteOptimizationMN enabled;
>>>
>>> UseCnBuAck disabled;
>>>
>>> MnDiscardHaParamProb enabled;
>>>
>>> Interface "eth0";
>>>
>>> #Interface "eth1" {
>>> # MnIfPreference 2;
>>> #}
>>>
>>> MnRouterProbes 1;
>>>
>>> MnHomeLink "eth0" {
>>> HomeAgentAddress 3ffe:2620:6:1::1;
>>> HomeAddress 3ffe:2620:6:1::1234/64;
>>>
>>> # address opt.
>>> #MnRoPolicy 3ffe:2060:6:1::3 enabled;
>>> #MnRoPolicy disabled;
>>> }
>>>
>>> ##
>>> ## IPsec configuration
>>> ##
>>>
>>> UseMnHaIPsec disabled;
>>>
>>> ## Key Management Mobility Capability
>>> KeyMngMobCapability disabled;
>>>
>>> #IPsecPolicySet {
>>> #HomeAgentAddress 3ffe:2620:6:1::1;
>>> #HomeAddress 3ffe:2620:6:1::1234/64;
>>>
>>> #IPsecPolicy Mh UseESP;
>>> #IPsecPolicy TunnelMh UseESP;
>>>
>>> # IPsecPolicy Mh UseESP 1 2;
>>> # IPsecPolicy ICMP UseESP 5;
>>> # IPsecPolicy TunnelMh UseESP 3 4;
>>> #}
>>>
>>>
>>>
>>>
>>>
>>> Thanks,
>>> Rodolfo.
>>>
>>>
>>>
>>> >-----Original Message-----
>>> >From: Shinta Sugimoto [mailto:shinta@xxxxxxxxxxxxxx]
>>> >Sent: Wednesday, July 04, 2007 12:21 AM
>>> >To: usagi-users@xxxxxxxxxxxxxx
>>> >Subject: (usagi-users 03870) Re: Binding Update Messages not routed
>>> >
>>> >Hi,
>>> >
>>> >Could you send us the packet capture (preferrably taken
>>> >by another node attached to the same link as the MN) that
>>> >includes both the BU message and the ICMP error message?
>>> >And could you also send the configuration file of your
>>> >mobile node?
>>> >
>>> >The BU packet comes with a home address destination option,
>>> >but it should affect the source IP address not the
>>> >destination IP address. The error you got (destination
>>> >unreach) is telling that the router could not find the
>>> >route to the destination, so it seems that the cause of
>>> >the error is something other than MIPv6 operation.
>>> >
>>> >Regards,
>>> >Shinta
>>> >
>>> >On Tue, 3 Jul 2007 05:02:01 -0700
>>> >"Kohn, Rodolfo" <rodolfo.kohn@xxxxxxxxx> wrote:
>>> >
>>> >> Hi all,
>>> >>
>>> >> I'm having a problem with my MIPv6 testbed.
>>> >>
>>> >>
>>> >>
>>> >> The router, instead of forwarding the Binding Update messages
from
>>> one
>>> >> network to other, is dropping the BUs sent from the MN to the HA.
>>> Then,
>>> >> it returns "Unreachable destination" to the MN.
>>> >>
>>> >>
>>> >>
>>> >> I think it is a problem with netfilter but I cannot figure out
the
>>> root
>>> >> cause.
>>> >>
>>> >>
>>> >>
>>> >> When I stop using MIPv6 (I stopped mip6d) and I run a ping6 from
>one
>>> >> node to the other, it correctly works.
>>> >>
>>> >>
>>> >>
>>> >> My testbed consists of 2 networks connected with a router with
the
>MN
>>> in
>>> >> one network and the HA in the other network.
>>> >>
>>> >>
>>> >>
>>> >> If somebody could help me I'd appreciate it.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> Thanks in advance,
>>> >>
>>> >> Rodolfo
>>> >>
>>> >>
>>> >>
>>> >
>>