Yggdrasil IP selected for public Internet

[kravietz]

I'm experiencing a strange issue on a number of Linux boxes where the tun0 interface IP is being selected as the source IP for outgoing connections even for non-Yggdrasil IPs:

# tcpdump -ni eth0 ip6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:03:42.150824 IP6 201:77d2:16a9:6bc4:54fa:7fb5:e33f:a77f.46762 > 2001:41d0:701:1100::36e.39593: Flags [S], seq 1111678875, win 28800, options [mss 1440,sackOK,TS val 1852652957 ecr 0,nop,wscale 7], length 0

Obviously, this doesn't work because my node is trying to connect to a public node in order to join Yggdrasil network.

I suspect this might be caused by the fact that they are all being set with medium priority which results in the largest non-link-local subnet being selected (and that is 200::/7):

# ip -6 route 
200::/7 dev tun0 proto kernel metric 256 pref medium
2a01:4f8:1c1c:7d3::/68 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 metric 1024 pref medium

[kravietz]

This seems to be more complicatd that just prefix-length. The problem can be essentially described as:

# ip route get 2001:41d0:701:1100::36e
2001:41d0:701:1100::36e from :: via fe80::1 dev eth0 src 201:77d2:16a9:6bc4:54fa:7fb5:e33f:a77f metric 1024 pref medium

So for connection to 2001:: address the kernel is selecting the 0201:: address on tun0 rather than 2a01:: address on eth0.

After reading tons about gai.conf, RFC6724 and experimenting with ip addrlabel I haven't really made much progress apart from marking the Yggdrasil IP as "deprecated" (preferred_lft 0) thus preventing the kernel from selecting it on outgoing connections:

ip addr replace dev tun0 201:77d2:16a9:6bc4:54fa:7fb5:e33f:a77f/7 scope global preferred_lft 0

This however only works for a nc test connection while yggdrasil daemon still continues to initiate connections from the 201:77d2... IP, most likely because the getaddrinfo still has the default precedence table but adding these entries seems to resolve the problem:

label 0200::/7      15
precedence 0200::/7      90

These essentially tell getaddrinfo that the network 0200::/7 prefix is a distinct network which should be preferred as source address when connecting to other 0200::/7 hosts (label) but it should be generally less preferred when connecting to servers (precedence). The latter should theoretically resolve the first issue, but it doesn't.

[Mikaela]

Have you seen #180? I think this may be similar.

[akklesed]

via fe80::1 dev eth0 src 201:77d2:16a9:6bc4:54fa:7fb5:e33f:a77f

well that's troublesome. it's not routing via wrong interface, probably because it doesn't have route via that. yet it picks wrong src address. it's something about address itself not route I think.
out of curiosity, what kernel version are you running? uname -r would be nice to know.
oh, I also noticed scope global in my yggdrasil address. shouldn't that actually be scope link? what are other possible scopes, and how this scoping stuff work?
gai.conf only really applies for getaddrinfo function iirc, it doesn't do anything for actual routing or outgoing address selection (unless that selection is manual and getaddrinfo-based).

[akklesed]

https://serverfault.com/questions/63014/ip-address-scope-parameter
https://unix.stackexchange.com/questions/123084/what-is-the-interface-scope-global-vs-link-used-for
so I think we actually want scope link

[akklesed]

second link is about something a little bit different so it can be disregarded

[styromaniac]

Does this work in place of the precedence given in gai.conf? Someone suggested the following:

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0

[kravietz]

@styromaniac But this will completely disable IPv6 including Yggdrasil's 200::/7 subnet?

[styromaniac]

@styromaniac But this will completely disable IPv6 including Yggdrasil's 200::/7 subnet?

You'll be able to browse Yggdrasil sites still, but maybe not host a Yggdrasil site.

[neilalexander]

Is the latest develop build (0.3.15-0087) of Yggdrasil any better? It now returns ICMPv6 Destination Unreachable packets when traffic destined for the internet is incorrectly sent into the Yggdrasil TUN adapter, which may or may not help with this problem.

[styromaniac]

Is the latest develop build (0.3.15-0087) of Yggdrasil any better? It now returns ICMPv6 Destination Unreachable packets when traffic destined for the internet is incorrectly sent into the Yggdrasil TUN adapter, which may or may not help with this problem.

I assume that I should enter into terminal...

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1

...in order to reverse what I posted above.

Now how do I get the latest development version of Yggdrasil?

[neilalexander]

I assume that I should enter into terminal...

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1

...in order to reverse what I posted above.

That sure looks a lot like you're going to globally disable IPv6 on all interfaces, including the Yggdrasil TUN adapter, which will stop Yggdrasil from working properly.

You should not need to mess with those sysctls at all.

Now how do I get the latest development version of Yggdrasil?

https://yggdrasil-network.github.io/builds-develop.html

[styromaniac]

I assume that I should enter into terminal...

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1

...in order to reverse what I posted above.

That sure looks a lot like you're going to globally disable IPv6 on all interfaces, including the Yggdrasil TUN adapter, which will stop Yggdrasil from working properly.

You should not need to mess with those sysctls at all.

Now how do I get the latest development version of Yggdrasil?

https://yggdrasil-network.github.io/builds-develop.html

Alright. I re-enabled IPv6, installed the development build, and did nothing else.

We'll see if this fixes the problem. It might take a solid day or two to be sure it's fixed.

[styromaniac]

I think the issue is fixed, but let's ask others if they have the same experience first.

[styromaniac]

Is the latest develop build (0.3.15-0087) of Yggdrasil any better? It now returns ICMPv6 Destination Unreachable packets when traffic destined for the internet is incorrectly sent into the Yggdrasil TUN adapter, which may or may not help with this problem.

I would publish the change to the stable channel if it's working on your end as well. Nobody else is responding. I can't wait for the Android version to possibly be fixed.

[whoizit]

if this related to #180, build from develop not helps to me.
last solution I use is:

$ grep -v \# /etc/gai.conf 
label ::1/128       0
label ::/0          1
label 2002::/16     2
label ::/96         3
label ::ffff:0:0/96 4
label fec0::/10     5
label fc00::/7      6
label 2001:0::/32   7
label 200::/7       10

[neilalexander]

Closing as this is a glibc issue.