From 24608d5ca300762ad3f6df34ea277ecc8ddbf6f6 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Tue, 7 Apr 2015 12:22:33 -0700 Subject: [PATCH] Always use HELLO to contact, and we now confirm newly learned paths via a two-way handshake to prevent half-connects. --- node/Peer.cpp | 89 ++++++++++++++++++++++++++++++++++++------------- node/Peer.hpp | 13 ++++++++ node/Switch.cpp | 42 ++++++----------------- 3 files changed, 88 insertions(+), 56 deletions(-) diff --git a/node/Peer.cpp b/node/Peer.cpp index beaa9d3b6..ea94fd9e7 100644 --- a/node/Peer.cpp +++ b/node/Peer.cpp @@ -25,6 +25,8 @@ * LLC. Start here: http://www.zerotier.com/ */ +#include "../version.h" + #include "Constants.hpp" #include "Peer.hpp" #include "Node.hpp" @@ -68,38 +70,48 @@ void Peer::received( _lastReceive = now; if (!hops) { + bool pathIsConfirmed = false; + /* Learn new paths from direct (hops == 0) packets */ { unsigned int np = _numPaths; - - bool havePath = false; for(unsigned int p=0;pinit(remoteAddr,false); - slot->received(now,linkDesperation); - _numPaths = np; + if (slot) { + slot->init(remoteAddr,false); + slot->received(now,linkDesperation); + _numPaths = np; + pathIsConfirmed = true; + } + } else { + /* If this path is not known, send a HELLO. We don't learn + * paths without confirming that a bidirectional link is in + * fact present, but any packet that decodes and authenticates + * correctly is considered valid. */ + attemptToContactAt(RR,remoteAddr,linkDesperation,now); } } } @@ -107,7 +119,7 @@ void Peer::received( /* Announce multicast groups of interest to direct peers if they are * considered authorized members of a given network. Also announce to * supernodes and network controllers. */ - if ((now - _lastAnnouncedTo) >= ((ZT_MULTICAST_LIKE_EXPIRE / 2) - 1000)) { + if ((pathIsConfirmed)&&((now - _lastAnnouncedTo) >= ((ZT_MULTICAST_LIKE_EXPIRE / 2) - 1000))) { _lastAnnouncedTo = now; const bool isSupernode = RR->topology->isSupernode(_id.address()); @@ -144,6 +156,37 @@ void Peer::received( _lastMulticastFrame = now; } +void Peer::attemptToContactAt(const RuntimeEnvironment *RR,const InetAddress &atAddress,unsigned int linkDesperation,uint64_t now) +{ + Packet outp(_id.address(),RR->identity.address(),Packet::VERB_HELLO); + outp.append((unsigned char)ZT_PROTO_VERSION); + outp.append((unsigned char)ZEROTIER_ONE_VERSION_MAJOR); + outp.append((unsigned char)ZEROTIER_ONE_VERSION_MINOR); + outp.append((uint16_t)ZEROTIER_ONE_VERSION_REVISION); + outp.append(now); + + RR->identity.serialize(outp,false); + + switch(atAddress.ss_family) { + case AF_INET: + outp.append((unsigned char)ZT_PROTO_DEST_ADDRESS_TYPE_IPV4); + outp.append(atAddress.rawIpData(),4); + outp.append((uint16_t)atAddress.port()); + break; + case AF_INET6: + outp.append((unsigned char)ZT_PROTO_DEST_ADDRESS_TYPE_IPV6); + outp.append(atAddress.rawIpData(),16); + outp.append((uint16_t)atAddress.port()); + break; + default: + outp.append((unsigned char)ZT_PROTO_DEST_ADDRESS_TYPE_NONE); + break; + } + + outp.armor(_key,false); // HELLO is sent in the clear + RR->node->putPacket(atAddress,outp.data(),outp.size(),linkDesperation); +} + void Peer::addPath(const Path &newp) { unsigned int np = _numPaths; @@ -200,9 +243,7 @@ void Peer::resetWithinScope(const RuntimeEnvironment *RR,InetAddress::IpScope sc while (x < np) { if (_paths[x].address().ipScope() == scope) { if (_paths[x].fixed()) { - Packet outp(_id.address(),RR->identity.address(),Packet::VERB_NOP); - outp.armor(_key,false); - RR->node->putPacket(_paths[x].address(),outp.data(),outp.size(),_paths[x].desperation(now)); + attemptToContactAt(RR,_paths[x].address(),_paths[x].desperation(now),now); _paths[y++] = _paths[x]; // keep fixed paths } } else { diff --git a/node/Peer.hpp b/node/Peer.hpp index 31964c391..4bea101bc 100644 --- a/node/Peer.hpp +++ b/node/Peer.hpp @@ -169,6 +169,19 @@ public: return (Path *)0; } + /** + * Send a HELLO to this peer at a specified physical address + * + * This does not update any statistics. It's used to send initial HELLOs + * for NAT traversal and path verification. + * + * @param RR Runtime environment + * @param atAddress Destination address + * @param linkDesperation Link desperation + * @param now Current time + */ + void attemptToContactAt(const RuntimeEnvironment *RR,const InetAddress &atAddress,unsigned int linkDesperation,uint64_t now); + /** * @return All known direct paths to this peer */ diff --git a/node/Switch.cpp b/node/Switch.cpp index f15dd1f66..cbf72ec8a 100644 --- a/node/Switch.cpp +++ b/node/Switch.cpp @@ -265,20 +265,6 @@ void Switch::send(const Packet &packet,bool encrypt) } } -#if 0 -void Switch::sendHELLO(const Address &dest) -{ - Packet outp(dest,RR->identity.address(),Packet::VERB_HELLO); - outp.append((unsigned char)ZT_PROTO_VERSION); - outp.append((unsigned char)ZEROTIER_ONE_VERSION_MAJOR); - outp.append((unsigned char)ZEROTIER_ONE_VERSION_MINOR); - outp.append((uint16_t)ZEROTIER_ONE_VERSION_REVISION); - outp.append(Utils::now()); - RR->identity.serialize(outp,false); - send(outp,false); -} -#endif - bool Switch::unite(const Address &p1,const Address &p2,bool force) { if ((p1 == RR->identity.address())||(p2 == RR->identity.address())) @@ -370,19 +356,10 @@ bool Switch::unite(const Address &p1,const Address &p2,bool force) void Switch::contact(const SharedPtr &peer,const InetAddress &atAddr,unsigned int maxDesperation) { TRACE("sending NAT-t message to %s(%s)",peer->address().toString().c_str(),atAddr.toString().c_str()); + const uint64_t now = RR->node->now(); - uint64_t now = RR->node->now(); - - Packet outp(peer->address(),RR->identity.address(),Packet::VERB_NOP); - outp.armor(peer->key(),false); - - /* Note that we don't log this as a "sent" packet or send it via the peer's - * normal send() path. That's because this is a trial packet to an - * unconfirmed address. - * - * First attempt is always at desperation zero. Then we escalate to max - * before escalating through other NAT-t strategies. */ - RR->node->putPacket(atAddr,outp.data(),outp.size(),0); + // Attempt to contact at zero desperation first + peer->attemptToContactAt(RR,atAddr,0,now); // If we have not punched through after this timeout, open refreshing can of whupass { @@ -454,14 +431,13 @@ unsigned long Switch::doTimerTasks() } else { // Nope, nothing yet. Time to kill some kittens. - Packet outp(qi->peer->address(),RR->identity.address(),Packet::VERB_NOP); - outp.armor(qi->peer->key(),false); - switch(qi->strategyIteration++) { + case 0: { // First strategy: rifle method: direct packet to known port - RR->node->putPacket(qi->inaddr,outp.data(),outp.size(),qi->currentDesperation); + qi->peer->attemptToContactAt(RR,qi->inaddr,qi->currentDesperation,now); } break; + case 1: { // Second strategy: shotgun method up: try a few ports above InetAddress tmpaddr(qi->inaddr); @@ -469,9 +445,10 @@ unsigned long Switch::doTimerTasks() for(int i=0;i<9;++i) { if (++p > 0xffff) break; tmpaddr.setPort((unsigned int)p); - RR->node->putPacket(tmpaddr,outp.data(),outp.size(),qi->currentDesperation); + qi->peer->attemptToContactAt(RR,tmpaddr,qi->currentDesperation,now); } } break; + case 2: { // Third strategy: shotgun method down: try a few ports below InetAddress tmpaddr(qi->inaddr); @@ -479,7 +456,7 @@ unsigned long Switch::doTimerTasks() for(int i=0;i<3;++i) { if (--p < 1024) break; tmpaddr.setPort((unsigned int)p); - RR->node->putPacket(tmpaddr,outp.data(),outp.size(),qi->currentDesperation); + qi->peer->attemptToContactAt(RR,tmpaddr,qi->currentDesperation,now); } // Escalate link desperation after all strategies attempted @@ -493,6 +470,7 @@ unsigned long Switch::doTimerTasks() qi->strategyIteration = 0; } } break; + } qi->fireAtTime = now + ZT_NAT_T_TACTICAL_ESCALATION_DELAY;