IPv6: Floating IPs and Duplicate Address Detection

The very nature of the floating IPs can lead to some classical quirks in a distributed system network. This discussion mainly focuses on IPv6, and how its duplicate IP detection mechanism can clash with the floating IP technique.

Floating IPs are a common scenario in Highly Available or Scaled-out Distributed Systems. The basic idea behind it is to have a transient IP address that can move from one node to another, keeping the change of serving-node transparent on the access-side of the network. For instance, if there are two server machines, each represented by an unique IP, and one of them goes down, then its IP address “floats” to the other server which will henceforth process the client requests. This technique is widely used to provide seamless transition from one serving-node to another in case of failures. One such implementation is present in OpenStack Nova.

On the other hand, Duplicate Address Detection (DAD) is a mechanism to identify if same IP is assigned to multiple nodes in a local network. It is implemented using the Neighbor Discovery Protocol (NDP) under IPv6. It uses the Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages. The operation is applicable to all the IPs that are link-local. More specifically:

  • all the IPs that fall under the link-local address-family
  • all the IPs that fall under global address-family but are present on the same LAN (one hop away on the link)

Continue reading “IPv6: Floating IPs and Duplicate Address Detection”

Debugging Linux Kernel using QEMU

An old lost nifty toolkit for kernel debugging, I used long ago… Of course, the host OS is Linux — some Debian clone (Ubuntu).

Commands to run qemu and debug Linux kernel (either one will do):

qemu -kernel bzImage -append "root=/dev/sda console=ttyS0" -m 2G -hda wheezy.img -serial stdio -nographic -nodefaults -s -S
qemu -kernel bzImage -append "root=/dev/sda console=tty0" -m 2G -hda wheezy.img -s -S

Two important options here are:

# -S  Do not start CPU at startup (you must type 'continue' on the gdb prompt).
# -s  Shorthand for -gdb tcp::1234, i.e. open a gdbserver on TCP port 1234.

On the debugging side:

$ gdb bzImage
(gdb) target remote localhost:1234

Continue reading “Debugging Linux Kernel using QEMU”

TCP_MD5SIG: An Undocumented Socket Option in Linux

Although the Linux kernel implements RFC 2385 as TCP_MD5SIG socket option, there are no man page entries describing the functionality and the usage, for kernel as well as user-space. The setsockopt() is a straightforward API, however, the prerequisites or constraints put by the RFC makes it a bit tricky to use. It was meant to put a check on authenticity, although it could also be transparently used for data integrity, where the TCP checksum is not good enough!

RFC 2385 talks about “Protection of BGP Sessions via the TCP MD5 Signature Option”. It was proposed way back in 1998 to avoid the BGP from spoof-attacks wherein the attacker can forge the TCP segments. By adding MD5 signature as a TCP Option (Type #19), this spec provides a mechanism to vouch on the authenticity of the sender and data. The MD5 signature is computed using a pre-shared key between the client and the server.

The socket option TCP_MD5SIG saves a mapping of the pre-shared MD5 key against the corresponding peer endpoint. It is mandatory to bind the client to a particular IP and port known to the server. The setsockopt() must be called on the listen socket of the server and the connection socket of the client, before the connect() gets called from client.

Continue reading “TCP_MD5SIG: An Undocumented Socket Option in Linux”