dataplane: split out derp and stun traffic#237
Open
npry wants to merge 3 commits into
Open
Conversation
npry
force-pushed
the
npry/dataplane.split_traffic
branch
from
610a0ad to
5799dc4
Compare
The peer id isn't actually known a priori from the underlay, even if some transports can give an indication of what they think it is (such as derp reporting the nodekey). Ultimately the only way the peer identity can be trusted is if it's cryptographically authenticated by data within the packet, which WireGuard derives from the ongoing session (identified by the session id field), and disco gets from the disco pubkey field in its header. STUN packets are unverified but don't require any association to the peer's id. Removing this requirement will simplify the architecture for the UDP direct transport in future commits. Signed-off-by: Nathan Perry <nathan@tailscale.com> Change-Id: Ib3fe81d7f41fbd6e3b637f282b51f4f96a6a6964
Currently, receipt of a disco or stun packet causes the dataplane to log errors because it doesn't understand the traffic and tries to treat it as WireGuard. This provides comparable logic to `wgengine/magicsock.go`'s packet identification. It is plumbed into the dataplane in a future commit. Signed-off-by: Nathan Perry <nathan@tailscale.com> Change-Id: I87e84518ed0adbe4ba35358cab0a3dc66a6a6964
Signed-off-by: Nathan Perry <nathan@tailscale.com> Change-Id: Ibf7d20ff1a3ab10e1277e78179285eb46a6a6964
npry
force-pushed
the
npry/dataplane.split_traffic
branch
from
5799dc4 to
aedd011
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
stacked on #214
Port packet identification logic from Go (wireguard vs disco vs stun), begin partitioning incoming packet stream by type. This isn't used in
runtimeyet — that integration depends on a bunch of other changes I made here so I'm holding off on PRing that until this round of changes merges.This also eliminates the requirement for underlay transports to supply a peer id, as this is in general unnecessary since packets must cryptographically authenticate themselves anyway, and it will simplify implementation for the UDP transport. Peer ids are still required to route to a peer.