v1.3: new licence => new release

- the siit-dc drafts have been adopted by the v6ops wg
- host agent renamed to edge relay

LICENCE

@@ -1,5 +1,19 @@
-Copyright (c) 2014 Tore Anderson <tore@fud.no>
+Copyright (c) 2014-2015 Tore Anderson <tore@fud.no>
 
-  As long as you retain this notice, you may use this piece of software as
-  you wish. If you like it, and we happen to meet one day, you can buy me
-  a beer in return. If you really like it, make it an IPA.
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.pod

@@ -1,6 +1,6 @@
 =head1 NAME
 
-B<clatd> - a CLAT implementation for Linux
+B<clatd> - a CLAT / SIIT-DC Edge Relay implementation for Linux
 
 =head1 DESCRIPTION
 
@@ -13,11 +13,12 @@ local applications on the host requires actual IPv4 connectivity or cannot
 make use of DNS64 (for example because they use legacy AF_INET socket calls,
 or if they are simply not using DNS64).
 
-It may also be used in combination with a stateless PLAT as defined by
-I<I-D.anderson-siit-dc> to give the otherwise IPv6-only host a public IPv4
-address with connectivity to the IPv4 internet. This may be useful in a
-server environment that are using legacy IPv4-only applications as described
-above.
+B<clatd> may also be used to implement an SIIT-DC Edge Relay as described in
+I<I-D.ietf-v6ops-siit-dc-2xlat>. In this scenario, the PLAT is in reality a
+SIIT-DC Border Relay (see I<I-D.ietf-v6ops-siit-dc>) instead of a Stateful
+NAT64 (see I<RFC6146>). When used as a SIIT-DC Edge Relay, you will probably
+want to manually configure the settings I<clat-v4-addr>, I<clat-v6-addr>, and
+I<plat-prefix> to mirror the SIIT-DC Border Relay's configuration.
 
 It relies on the software package TAYGA by Nathan Lutchansky for the actual
 translation of packets between IPv4 and IPv6 (I<RFC 6145>) TAYGA may be
@@ -33,7 +34,7 @@ B<clatd> [options]
 
 =item -q
 
-Quiet mode; suppress normal output This is the same as setting B<quiet=1>.
+Quiet mode; suppress normal output. This is the same as setting B<quiet=1>.
 Warnings and errors are still outputted, to silence those too, repeat I<-q>.
 
 =item -d
@@ -129,22 +130,40 @@ simultaneously.
 The IPv4 address that will be assigned to the CLAT device. Local applications
 will bind to this address when communicating with external IPv4 destinations.
 In a standard 464XLAT environment with a stateful NAT64 serving as the PLAT,
-there should be no need to change the default, but if the PLAT is a stateless
-translator (a la I-D.draft-anderson-siit-dc), you might want to set this to
-the true external address used externally, so the the local applications can
-correctly identify which public address they'll be using on the IPv4 internet.
+there should be no need to change the default.
 
-The default address is one from I<I-D.draft-byrne-v6ops-clatip>.
+When using B<clatd> as an SIIT-DC Edge Relay (I<I-D.ietf-v6ops-siit-dc-2xlat>),
+you will want to set this to the IPv4 Service Address configured in the SIIT-DC
+Border Relay. This way, local applications can correctly identify which public
+address they'll be using on the IPv4 internet, and will be able to provide
+fully functional references to it in application-level payload, and so on.
+
+The default address is one from I<RFC 7335>.
 
 =item B<clat-v6-addr=ipv6-address> (default: auto-generated)
 
 The IPv6 address of the CLAT. Traffic to/from the B<clat-v4-addr> will be
-translated into this address. By default, B<clatd> will attempt to figure out
-which network device will be used for traffic towards the PLAT, see if there
-is any SLAAC-configured addresses on it, and if so substitute the '0xfffe'
-value in the middle of the Interface ID for '0xc1a7' to generate a new
-address for the CLAT. If you're not using SLAAC you will have to set this
-manually.
+translated into this address. When using B<clatd> as an SIIT-DC Edge Relay, you
+will want to set this to the same IPv6 address in the Explicit Address Mapping
+configured in the SIIT-DC Border Relay.
+
+By default, B<clatd> will attempt to figure out which network device will be
+used for traffic towards the PLAT, see if there is any SLAAC-based globally
+scoped addresses on it (i.e., a /64 with '0xfffe' in the middle of the
+Interface ID), and will if so substitute that '0xfffe' value with '0xc1a7'
+("clat") to generate a CLAT IPv6 address.
+
+If only a non-SLAAC global address is found on the PLAT-facing device,
+B<clatd> will substitute its Interface ID with a random integer and use the
+result as the CLAT IPv6 address. It will only do so if the prefix length is
+/120 or smaller, as otherwise the risk of IID collisions is considered to be
+too high. Note that on most Perl platforms, the I<rand()> function is limited
+to 48 bits, which means that for longer IIDs, the least significant bits will
+be all 0.
+
+If multiple addresses are found in either category, the one that shares the
+longest common prefix with the PLAT prefix will be preferred when deriving
+the CLAT IPv6 address according to the algorithm described above.
 
 =item B<dns64-servers=srv1,[srv2,..]> (default: use system resolver)
 
@@ -173,10 +192,11 @@ L<http://www.litech.org/tayga>. Required.
 
 =item B<forwarding-enable=bool> (default: I<yes>)
 
-Controls whether or not B<clatd> should enable IPv6 forwarding if necessary. IPv6
-forwarding is necessary for B<clatd> to work correctly. It will also ensure that
-the I<accept_ra> sysctl is to '2' for all devices have it set to '1', in order
-to prevent any connectivity loss as a result of enabling forwarding.
+Controls whether or not B<clatd> should enable IPv6 forwarding if necessary.
+IPv6 forwarding is necessary for B<clatd> to work correctly. It will also
+ensure that the I<accept_ra> sysctl is to '2' for all devices have it set to
+'1', in order to prevent any connectivity loss as a result of enabling
+forwarding.
 
 All sysctls that are modified will be restored to their original values when
 B<clatd> is shutting down.
@@ -185,8 +205,8 @@ B<clatd> is shutting down.
 
 Controls whether or not B<clatd> should insert ip6tables rules that permit the
 forwarding of IPv6 traffic between the CLAT and PLAT devices. Such forwarding
-must be permitted for B<clatd> to work correctly. Any rules added will be removed
-when B<clatd> is shutting down.
+must be permitted for B<clatd> to work correctly. Any rules added will be
+removed when B<clatd> is shutting down.
 
 The default is I<yes> if the ip6tables_filter kernel module is loaded, I<no>
 if it is not.
@@ -194,7 +214,7 @@ if it is not.
 =item B<plat-dev> (default: auto-detect)
 
 Which network device is facing the PLAT (NAT64). By default, this is
-auto-detecting by performing a route table lookup towards the PLAT prefix.
+auto-detected by performing a route table lookup towards the PLAT prefix.
 This setting is used when setting up generating the CLAT IPv6 address, and
 when setting up ip6tables rules and Proxy-ND entries.
 
@@ -230,7 +250,7 @@ ICMPv4 errors back to the host (i.e., it will show up as the first hop when
 tracerouting to IPv4 destinations), and you may also ping it to verify that
 the TAYGA process is still alive and well.
 
-The default address is one from I<I-D.draft-byrne-v6ops-clatip>.
+The default address is one from I<RFC 7335>.
 
 =item B<v4-conncheck-enable=bool> (default: I<yes>)
 
@@ -310,18 +330,32 @@ configuration file) when reporting a bug.
 
 =head1 LICENCE
 
-Copyright (c) 2014 Tore Anderson <tore@fud.no>
+Copyright (c) 2014-2015 Tore Anderson <tore@fud.no>
 
-As long as you retain this notice, you may use this piece of software as
-you wish. If you like it, and we happen to meet one day, you can buy me
-a beer in return. If you really like it, make it an IPA.
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 
 =head1 SEE ALSO
 
 ip(8), ip6tables(8), tayga(8), tayga.conf(5)
 
-RFC 6052, RFC 6145, RFC 6146, RFC 6877, RFC 7050
+RFC 6052, RFC 6145, RFC 6146, RFC 6877, RFC 7050, RFC 7335
 
-I-D.anderson-siit-dc, I-D.byrne-v6ops-clatip
+I-D.ietf-v6ops-siit-dc, I-D.ietf-v6ops-siit-dc-2xlat, I-D.ietf-v6ops-siit-eam
 
 =cut

clatd

@@ -12,7 +12,7 @@
 use strict;
 use Net::IP;
 
-my $VERSION = "1.0";
+my $VERSION = "1.3";
 
 #
 # Populate the global config hash with the default values
@@ -21,7 +21,7 @@ my %CFG;
 $CFG{"quiet"} = 0;			# suppress normal output
 $CFG{"debug"} = 0;			# debugging output level
 $CFG{"clat-dev"} = "clat";		# TUN interface name to use
-$CFG{"clat-v4-addr"} = "192.0.0.1";	# from I-D.draft-byrne-v6ops-clatip
+$CFG{"clat-v4-addr"} = "192.0.0.1";	# from RFC 7335
 $CFG{"clat-v6-addr"} = undef;		# derive from existing SLAAC addr
 $CFG{"dns64-servers"} = undef;		# use system resolver by default
 $CFG{"cmd-ip"} = "ip";			# assume in $PATH
@@ -33,7 +33,7 @@ $CFG{"plat-dev"} = undef;		# PLAT-facing device, default detect
 $CFG{"plat-prefix"} = undef;		# detect using DNS64 by default
 $CFG{"proxynd-enable"} = 1;		# add proxy-nd entry for clat?
 $CFG{"tayga-conffile"} = undef;		# make a temporary one by default
-$CFG{"tayga-v4-addr"} = "192.0.0.2";	# from I-D.draft-byrne-v6ops-clatip
+$CFG{"tayga-v4-addr"} = "192.0.0.2";	# from RFC 7335
 $CFG{"v4-conncheck-enable"} = 1;	# exit if there's already a defroute
 $CFG{"v4-conncheck-delay"} = 10;	# seconds before checking for v4 conn.
 $CFG{"v4-defaultroute-enable"} = 1;	# add a v4 defaultroute via the CLAT?
@@ -89,7 +89,8 @@ sub cmd {
 
 #
 # Reads in key=value pairs from a configuration file, overwriting the default
-# setting in the %CFG hash. The key must exist, or we
+# setting in the %CFG hash. The key must exist in the built-in hash, or we
+# ignore the setting in the config file.
 #
 sub readconf {
   d("readconf('@_')");
@@ -424,47 +425,134 @@ sub is_modified_eui64 {
 
 
 #
-# This function considers any globally scoped /64 address on the PLAT-facing
-# device, checks to see if it is base on Modified EUI-64, and generates a
-# new address for the CLAT by substituting the "0xfffe" bits in the middle
-# of the Interface ID with 0xc1a7 ("clat"). This keeps the last 24 bits
-# unchanged, which has the added bonus of not requiring the host to join
-# another Solicited-Node multicast group.
+# This function considers any globally scoped IPv6 address on the PLAT-facing
+# device, and derives an CLAT IPv6 address from the best match (longest
+# common prefix with PLAT prefix). Addresses based on Modified EUI-64 are
+# preferred, and if found, it generates a new address for the CLAT by
+# substituting the "0xfffe" bits in the middle of the Interface ID with
+# 0xc1a7 ("clat"). This keeps the last 24 bits unchanged, which has the added
+# bonus of not requiring the host to join another Solicited-Node multicast
+# group. If no EUI-64 address is seen, it'll use a random IID instead.
 #
 sub get_clat_v6_addr {
   my $plat_dev = cfg("plat-dev");
   if(!$plat_dev) {
     err("get_clat_v6_addr(): No PLAT device to work with");
   }
-  p("Attempting to derive a CLAT IPv6 address from a EUI-64 address on ",
+
+  # In case there are more than one EUI-64-based addresses on the plat device,
+  # we'll need the plat prefix as an bigint in order to find which of those
+  # addresses share the longest common prefix. We'll prefer to use that one.
+  my $plat_prefix_int = Net::IP->new(cfg("plat-prefix"), 6)->intip();
+  if(!$plat_prefix_int) {
+    err("Failed to convert plat prefix to bigint");
+  }
+  my $ip; # will contain the best candidate ip in bigint format
+  my $ip_plen; # will contain the prefix length of the best candidate ip
+  my $best_score; # will contain the score of the best candidate seen
+  my $seen_eui64; # set if we've seen an eui-64 based address
+
+  p("Attempting to derive a CLAT IPv6 address from an IPv6 address on ",
     "'$plat_dev'");
   open(my $fd, '-|', cfg("cmd-ip"), qw(-6 address list scope global dev),
        $plat_dev)
     or err("'ip -6 address list scope global dev $plat_dev' failed to execute");
   while(<$fd>) {
-    if(m| inet6 (\S+)/64 scope global |) {
+    if(m| inet6 (\S+)/(\d{1,3}) scope global |) {
       my $candidate = $1;
-      next unless(is_modified_eui64($candidate));
-      d2("Saw EUI-64 based address: $candidate");
-      my $ip = Net::IP->new($candidate, 6) or next;
-      $ip = $ip->intip();
+      my $plen = $2;
+      d2("Saw a candidate address on '$plat_dev': $candidate/$plen");
+      my $candidate_int = Net::IP->new($candidate, 6)->intip();
+      if(!$candidate_int) {
+        err("Failed to convert plat prefix to bigint");
+      }
 
-      # First clear the middle 0xfffe bits of the interface ID
-      my $mask = Net::IP->new("ffff:ffff:ffff:ffff:ffff:ff00:00ff:ffff");
-      $mask = $mask->intip();
-      $ip &= $mask;
+      if($plen > 120) {
+        # We'll need a subnet with some space if we are to generate a random
+        # IID and don't have too large risk of collisions... /120 seems like
+        # an OK limit
+        d2("Refusing to use random IIDs for prefix lengths > /120");
+        next;
+      }
 
-      # Next set them to the value 0xc1a7 and return
-      $mask = Net::IP->new("::c1:a700:0", 6) or next;
-      $mask = $mask->intip();
-      $ip |= $mask;
+      # True if the candidate under consideration is EUI-64 based
+      my $is_eui64 = ($plen == 64) && is_modified_eui64($candidate);
 
-      $ip = Net::IP->new(Net::IP::ip_bintoip(Net::IP::ip_inttobin($ip, 6), 6));
-      return $ip->short() if $ip;
+      # If this is the first time we're considering an EUI-64 based address,
+      # we unconditionally prefer it (even if it doesn't have the longest
+      # matching prefix), because we consider deriving the CLAT IPv6
+      # address from an EUI-64 based candidate to be safer than generating
+      # a truly random CLAT IPv6 address.
+      if($is_eui64 and !$seen_eui64++) {
+        d2("Preferring $candidate/$plen; it's the first EUI-64 seen");
+        $best_score = $plat_prefix_int ^ $candidate_int;
+        $ip = $candidate_int;
+        $ip_plen = $plen;
+        next;
+      }
+
+      # If we already have found an EUI-64 based address, we can reject this
+      # candidate outright, as it is *not* EUI-64 based.
+      if(!$is_eui64 and $seen_eui64) {
+        d2("Rejecting $candidate/$plen; we have better EUI-64 candidates");
+        next;
+      }
+
+      # Otherwise, we'll be comparing EUI-64 to EUI-64, or non EUI-64 to
+      # non EUI-64. If so, we prefer the current candidate if it has a better
+      # score than the current best match (or if there is no current best
+      # match).
+      if(!$best_score or $best_score > ($plat_prefix_int ^ $candidate_int)) {
+        d2("Preferring $candidate/$plen; best match so far");
+        $best_score = $plat_prefix_int ^ $candidate_int;
+        $ip = $candidate_int;
+        $ip_plen = $plen;
+        next;
+      }
+
+      d2("Rejecting $candidate/$plen; we've seen better matches");
     }
   }
   close($fd)
     or err("'ip -6 address list scope global dev $plat_dev' failed");
+
+  if(!$ip) {
+    err("Could not find a global IPv6 address on $plat_dev from which ",
+        "to derive a CLAT IPv6 address (try setting 'clat-v6-addr')");
+  }
+
+  if($seen_eui64) {
+    # If the chosen candidate IP is EUI-64 based, we derive a CLAT IPv6
+    # address by replacing the 0xffe in the middle of the Interface ID with
+    # 0xc1a7 ("CLAT").
+
+    # First clear the middle 0xfffe bits of the interface ID
+    my $mask = Net::IP->new("ffff:ffff:ffff:ffff:ffff:ff00:00ff:ffff");
+    $mask = $mask->intip();
+    $ip &= $mask;
+
+    # Next set them to the value 0xc1a7
+    $mask = Net::IP->new("::c1:a700:0", 6) or err(Net::IP::Error());
+    $mask = $mask->intip();
+    $ip |= $mask;
+  } else {
+    # If the chosen candidate IP is NOT EUI-64 based, we'll just make up a
+    # random interface ID. There is no guarantee that this will actually
+    # work, but it's the best thing we can try...
+
+    # First zero out the entire Interface ID
+    $ip >>= (128-$ip_plen);
+    $ip <<= (128-$ip_plen);
+
+    my $iid = int(rand(2**(128-$ip_plen)));
+    d2(sprintf("Using random interface ID: %x", $iid));
+    $ip |= $iid;
+  }
+
+  # Convert back the BigInt to a regular Net::IP object and return
+  $ip = Net::IP->new(Net::IP::ip_bintoip(Net::IP::ip_inttobin($ip, 6), 6));
+  return $ip->short() if $ip;
+
   err("Failed to generate a CLAT IPv6 address (try setting 'clat-v6-addr')");
 }
 
@@ -554,8 +642,10 @@ for (my $i = 0; $i < @ARGV;) {
     splice(@ARGV, $i, 2);
     next;
   } elsif($ARGV[$i] =~ /^(-h|--help)$/) {
-    print "clatd v$VERSION - a 464XLAT (RFC 6877) CLAT implementation for ",
-          "Linux\n";
+    print <<"EOF";
+clatd v$VERSION - a 464XLAT (RFC 6877) CLAT and SIIT-DC Host Agent
+             (I-D.anderson-v6ops-siit-dc-2xlat) implementation for Linux
+EOF
     print "\n";
     print "  Usage:    clatd [-q] [-d [-d]] [-c config-file] ",
           "[conf-key=val ...]\n";
@@ -650,7 +740,7 @@ if(cfgbool("v4-conncheck-enable")) {
   while(<$fd>) {
     if(/^default /) {
       p("This system already has IPv4 connectivity; no need for a CLAT.");
-      exit_and_cleanup(0);
+      cleanup_and_exit(0);
     }
   }
   close($fd) or err("cmd(ip -4 route list default) failed");

scripts/clatd.networkmanager

@@ -7,8 +7,15 @@
 # Written by Tore Anderson <tore@fud.no>
 #
 
+# Newer NetworkManager versions will run the dispatcher scripts once
+# a new unmanaged interface shows up, including the 'clat' interface
+# created by clatd/TAYGA. So if we're being called due to our own
+# interface showing up, do nothing, otherwise we will end up
+# committing suicide from the restarts below
+[ "$DEVICE_IFACE" = "clat" ] && exit 0
+
 # We simply restart clatd in all situations, as no matter if an interface
-# goes up or down, it may mean that the PLAT devices changes, it may mean
+# goes up or down, it may mean that the PLAT device changes, it may mean
 # native IPv4 appearing or disappearing, or it may mean that DNS64 became
 # available or unavailable...it's far easier to simply restart always and
 # start from scratch than to figure out if a restart is truly necessary