[6bed4-devel] Bypassing the 6bed4 with direct connections.
zeroconfig IPv6 tunnel
Status: Beta
Brought to you by:
vanrein
From: <ebi...@xm...> - 2012-06-18 00:10:15
|
I have been playing with this and I really don't like the current solution in 6bed4. As it currently stands the solution is enormously complex in it's implementation and it does not actually work to pierce any connection tracking firewall (like iptables) that tracks the entire <srcip,srcport,destip,destport> tuple. I believe it is possible to come up with a comparitively simple design that allows for making anypath that can work work. To get through firewalls that track the entire source and destination address we must attempt simultaneous connections from both sides. This is easy to arrange if we send an icmp packet through the router from one machine to another to get it started. I think we can/should use modified neigbour solict and neighbour advertisements for this packet started. The idea is we start off with a 4 way handshake to exchange possible ip:port addresses and to estabilish the existence of bidirectional routing connectivity (to foil most ipv4 source address spoofing). Then both machines simultaneously perform traditional neighbour discovery at each other to see which possible ipv4:port destinations will work. So in 2 round trip times or possibly 1.5 round trip times I believe we can estabilish bidirectional connectivity that bypasses the router if that bidirection connectivity is possible. There are a lot of dyanmic details in practice that make this process tricky. I have spent way too much time understanding the current code and playing with it to get it to the point where I can play with testing my idea. Unfortunately I am out of time for the next week or two, so I don't know if a solution that works in theory will work in practice. Since we are simply using just the unicast messages on the ports we care about it should be very effective and comparitively simple. Eric |