search

multipath-tcp / mptcp

⚠️⚠️⚠️ Deprecated 🚫 Out-of-tree Linux Kernel implementation of MultiPath TCP. 👉 Use https://github.com/multipath-tcp/mptcp_net-next repo instead ⚠️⚠️⚠️
https://github.com/multipath-tcp/mptcp_net-next
Other
888 stars 335 forks source link

Internal IP addresses leakage (subflows related?) #407

Closed arter97 closed 3 years ago

arter97 commented 3 years ago

Hi, after turning on mptcp_debug, I noticed that subflows are (attempted to be) created on server's internal IP addresses as well.

The server has eth0, eth1, eth2 and only eth0 is exposed to the Internet. eth0 has the public IP address of 123.123.123.10, eth1 has the IP address of 192.168.1.1, eth2 has the IP address of 192.168.2.1.

When connecting to this server from another client over the Internet using MPTCP, I can see server's eth1/2's info from the client-side:

ssh -p2222 123.123.123.10 cat /dev/urandom | pv > /dev/null
[ 1560.586977] mptcp_add_sock: token 0x5f726c41 pi 1, src_addr:192.168.131.169:47302 dst_addr:123.123.123.10:2222
[ 1560.590366] mptcp_add_sock: token 0x5f726c41 pi 2, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590378] __mptcp_init4_subsockets: token 0x5f726c41 pi 2 src_addr:192.168.131.187:0 dst_addr:123.123.123.10:2222 ifidx: 25
[ 1560.590402] mptcp_add_sock: token 0x5f726c41 pi 3, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590409] __mptcp_init4_subsockets: token 0x5f726c41 pi 3 src_addr:192.168.131.161:0 dst_addr:123.123.123.10:2222 ifidx: 3
[ 1560.590424] mptcp_add_sock: token 0x5f726c41 pi 4, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590430] __mptcp_init4_subsockets: token 0x5f726c41 pi 4 src_addr:192.168.131.162:0 dst_addr:123.123.123.10:2222 ifidx: 4
[ 1560.590443] mptcp_add_sock: token 0x5f726c41 pi 5, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590449] __mptcp_init4_subsockets: token 0x5f726c41 pi 5 src_addr:192.168.131.163:0 dst_addr:123.123.123.10:2222 ifidx: 5
[ 1560.590464] mptcp_add_sock: token 0x5f726c41 pi 6, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590470] __mptcp_init4_subsockets: token 0x5f726c41 pi 6 src_addr:192.168.131.164:0 dst_addr:123.123.123.10:2222 ifidx: 6
[ 1560.590483] mptcp_add_sock: token 0x5f726c41 pi 7, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590489] __mptcp_init4_subsockets: token 0x5f726c41 pi 7 src_addr:192.168.131.165:0 dst_addr:123.123.123.10:2222 ifidx: 7
[ 1560.590502] mptcp_add_sock: token 0x5f726c41 pi 8, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590507] __mptcp_init4_subsockets: token 0x5f726c41 pi 8 src_addr:192.168.131.166:0 dst_addr:123.123.123.10:2222 ifidx: 8
[ 1560.590519] mptcp_add_sock: token 0x5f726c41 pi 9, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590525] __mptcp_init4_subsockets: token 0x5f726c41 pi 9 src_addr:192.168.131.167:0 dst_addr:123.123.123.10:2222 ifidx: 9
[ 1560.590537] mptcp_add_sock: token 0x5f726c41 pi 10, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590546] __mptcp_init4_subsockets: token 0x5f726c41 pi 10 src_addr:192.168.131.168:0 dst_addr:123.123.123.10:2222 ifidx: 10
[ 1560.590560] mptcp_add_sock: token 0x5f726c41 pi 11, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590566] __mptcp_init4_subsockets: token 0x5f726c41 pi 11 src_addr:192.168.131.181:0 dst_addr:123.123.123.10:2222 ifidx: 19
[ 1560.590578] mptcp_add_sock: token 0x5f726c41 pi 12, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590584] __mptcp_init4_subsockets: token 0x5f726c41 pi 12 src_addr:192.168.131.182:0 dst_addr:123.123.123.10:2222 ifidx: 20
[ 1560.590597] mptcp_add_sock: token 0x5f726c41 pi 13, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590602] __mptcp_init4_subsockets: token 0x5f726c41 pi 13 src_addr:192.168.131.183:0 dst_addr:123.123.123.10:2222 ifidx: 21
[ 1560.590616] mptcp_add_sock: token 0x5f726c41 pi 14, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590623] __mptcp_init4_subsockets: token 0x5f726c41 pi 14 src_addr:192.168.131.184:0 dst_addr:123.123.123.10:2222 ifidx: 22
[ 1560.590636] mptcp_add_sock: token 0x5f726c41 pi 15, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590642] __mptcp_init4_subsockets: token 0x5f726c41 pi 15 src_addr:192.168.131.185:0 dst_addr:123.123.123.10:2222 ifidx: 23
[ 1560.590654] mptcp_add_sock: token 0x5f726c41 pi 16, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590659] __mptcp_init4_subsockets: token 0x5f726c41 pi 16 src_addr:192.168.131.186:0 dst_addr:123.123.123.10:2222 ifidx: 24
[ 1560.590671] mptcp_add_sock: token 0x5f726c41 pi 17, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590676] __mptcp_init4_subsockets: token 0x5f726c41 pi 17 src_addr:192.168.131.187:0 dst_addr:192.168.1.1:2222 ifidx: 25
[ 1560.590688] mptcp_add_sock: token 0x5f726c41 pi 18, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590693] __mptcp_init4_subsockets: token 0x5f726c41 pi 18 src_addr:192.168.131.169:0 dst_addr:192.168.1.1:2222 ifidx: 2
[ 1560.590706] mptcp_add_sock: token 0x5f726c41 pi 19, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590712] __mptcp_init4_subsockets: token 0x5f726c41 pi 19 src_addr:192.168.131.161:0 dst_addr:192.168.1.1:2222 ifidx: 3
[ 1560.590724] mptcp_add_sock: token 0x5f726c41 pi 20, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590730] __mptcp_init4_subsockets: token 0x5f726c41 pi 20 src_addr:192.168.131.162:0 dst_addr:192.168.1.1:2222 ifidx: 4
[ 1560.590742] mptcp_add_sock: token 0x5f726c41 pi 21, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590747] __mptcp_init4_subsockets: token 0x5f726c41 pi 21 src_addr:192.168.131.163:0 dst_addr:192.168.1.1:2222 ifidx: 5
[ 1560.590760] mptcp_add_sock: token 0x5f726c41 pi 22, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590765] __mptcp_init4_subsockets: token 0x5f726c41 pi 22 src_addr:192.168.131.164:0 dst_addr:192.168.1.1:2222 ifidx: 6
[ 1560.590778] mptcp_add_sock: token 0x5f726c41 pi 23, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590786] __mptcp_init4_subsockets: token 0x5f726c41 pi 23 src_addr:192.168.131.165:0 dst_addr:192.168.1.1:2222 ifidx: 7
[ 1560.590798] mptcp_add_sock: token 0x5f726c41 pi 24, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590803] __mptcp_init4_subsockets: token 0x5f726c41 pi 24 src_addr:192.168.131.166:0 dst_addr:192.168.1.1:2222 ifidx: 8
[ 1560.590816] mptcp_add_sock: token 0x5f726c41 pi 25, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590821] __mptcp_init4_subsockets: token 0x5f726c41 pi 25 src_addr:192.168.131.167:0 dst_addr:192.168.1.1:2222 ifidx: 9
[ 1560.590834] mptcp_add_sock: token 0x5f726c41 pi 26, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590841] __mptcp_init4_subsockets: token 0x5f726c41 pi 26 src_addr:192.168.131.168:0 dst_addr:192.168.1.1:2222 ifidx: 10
[ 1560.590853] mptcp_add_sock: token 0x5f726c41 pi 27, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590858] __mptcp_init4_subsockets: token 0x5f726c41 pi 27 src_addr:192.168.131.181:0 dst_addr:192.168.1.1:2222 ifidx: 19
[ 1560.590870] mptcp_add_sock: token 0x5f726c41 pi 28, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590875] __mptcp_init4_subsockets: token 0x5f726c41 pi 28 src_addr:192.168.131.182:0 dst_addr:192.168.1.1:2222 ifidx: 20
[ 1560.590886] mptcp_add_sock: token 0x5f726c41 pi 29, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590892] __mptcp_init4_subsockets: token 0x5f726c41 pi 29 src_addr:192.168.131.183:0 dst_addr:192.168.1.1:2222 ifidx: 21
[ 1560.590903] mptcp_add_sock: token 0x5f726c41 pi 30, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590910] __mptcp_init4_subsockets: token 0x5f726c41 pi 30 src_addr:192.168.131.184:0 dst_addr:192.168.1.1:2222 ifidx: 22
[ 1560.590925] mptcp_add_sock: token 0x5f726c41 pi 31, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590930] __mptcp_init4_subsockets: token 0x5f726c41 pi 31 src_addr:192.168.131.185:0 dst_addr:192.168.1.1:2222 ifidx: 23
[ 1560.590942] mptcp_add_sock: token 0x5f726c41 pi 32, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590947] __mptcp_init4_subsockets: token 0x5f726c41 pi 32 src_addr:192.168.131.186:0 dst_addr:192.168.1.1:2222 ifidx: 24
[ 1560.590958] mptcp_add_sock: token 0x5f726c41 pi 33, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590963] __mptcp_init4_subsockets: token 0x5f726c41 pi 33 src_addr:192.168.131.187:0 dst_addr:192.168.2.1:2222 ifidx: 25
[ 1560.590975] mptcp_add_sock: token 0x5f726c41 pi 34, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590980] __mptcp_init4_subsockets: token 0x5f726c41 pi 34 src_addr:192.168.131.169:0 dst_addr:192.168.2.1:2222 ifidx: 2
[ 1560.590992] mptcp_add_sock: token 0x5f726c41 pi 35, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.590998] __mptcp_init4_subsockets: token 0x5f726c41 pi 35 src_addr:192.168.131.161:0 dst_addr:192.168.2.1:2222 ifidx: 3
[ 1560.591012] mptcp_add_sock: token 0x5f726c41 pi 36, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591017] __mptcp_init4_subsockets: token 0x5f726c41 pi 36 src_addr:192.168.131.162:0 dst_addr:192.168.2.1:2222 ifidx: 4
[ 1560.591030] mptcp_add_sock: token 0x5f726c41 pi 37, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591035] __mptcp_init4_subsockets: token 0x5f726c41 pi 37 src_addr:192.168.131.163:0 dst_addr:192.168.2.1:2222 ifidx: 5
[ 1560.591048] mptcp_add_sock: token 0x5f726c41 pi 38, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591054] __mptcp_init4_subsockets: token 0x5f726c41 pi 38 src_addr:192.168.131.164:0 dst_addr:192.168.2.1:2222 ifidx: 6
[ 1560.591066] mptcp_add_sock: token 0x5f726c41 pi 39, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591071] __mptcp_init4_subsockets: token 0x5f726c41 pi 39 src_addr:192.168.131.165:0 dst_addr:192.168.2.1:2222 ifidx: 7
[ 1560.591084] mptcp_add_sock: token 0x5f726c41 pi 40, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591089] __mptcp_init4_subsockets: token 0x5f726c41 pi 40 src_addr:192.168.131.166:0 dst_addr:192.168.2.1:2222 ifidx: 8
[ 1560.591101] mptcp_add_sock: token 0x5f726c41 pi 41, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591106] __mptcp_init4_subsockets: token 0x5f726c41 pi 41 src_addr:192.168.131.167:0 dst_addr:192.168.2.1:2222 ifidx: 9
[ 1560.591118] mptcp_add_sock: token 0x5f726c41 pi 42, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591125] __mptcp_init4_subsockets: token 0x5f726c41 pi 42 src_addr:192.168.131.168:0 dst_addr:192.168.2.1:2222 ifidx: 10
[ 1560.591137] mptcp_add_sock: token 0x5f726c41 pi 43, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591142] __mptcp_init4_subsockets: token 0x5f726c41 pi 43 src_addr:192.168.131.181:0 dst_addr:192.168.2.1:2222 ifidx: 19
[ 1560.591154] mptcp_add_sock: token 0x5f726c41 pi 44, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591159] __mptcp_init4_subsockets: token 0x5f726c41 pi 44 src_addr:192.168.131.182:0 dst_addr:192.168.2.1:2222 ifidx: 20
[ 1560.591171] mptcp_add_sock: token 0x5f726c41 pi 45, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591176] __mptcp_init4_subsockets: token 0x5f726c41 pi 45 src_addr:192.168.131.183:0 dst_addr:192.168.2.1:2222 ifidx: 21
[ 1560.591187] mptcp_add_sock: token 0x5f726c41 pi 46, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591194] __mptcp_init4_subsockets: token 0x5f726c41 pi 46 src_addr:192.168.131.184:0 dst_addr:192.168.2.1:2222 ifidx: 22
[ 1560.591206] mptcp_add_sock: token 0x5f726c41 pi 47, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591211] __mptcp_init4_subsockets: token 0x5f726c41 pi 47 src_addr:192.168.131.185:0 dst_addr:192.168.2.1:2222 ifidx: 23
[ 1560.591223] mptcp_add_sock: token 0x5f726c41 pi 48, src_addr:0.0.0.0:0 dst_addr:0.0.0.0:0
[ 1560.591229] __mptcp_init4_subsockets: token 0x5f726c41 pi 48 src_addr:192.168.131.186:0 dst_addr:192.168.2.1:2222 ifidx: 24

The same happens when both server/client has no iptables rules set.

I assume I must add some additional entries on the server's iptables to make this stop, but I'm not all that familiar with iptables. Security concern asides, I believe this limits the subflow creations and limits MPTCP to utilize all interfaces.

Any pointers will be much appreciated, thanks!

matttbe commented 3 years ago

Hi @arter97

Is it because the server is announcing its "internal" addresses?

I suspect that you are using the fullmesh path-manager on your server and it is then announcing these addresses as reported in /proc/net/mptcp_fullmesh.

You can use a modified version of iproute to flag interfaces with internal address: http://multipath-tcp.org/pmwiki.php/Users/Tools But if you don't need the server to announce any address while still accepting new subflows, best is to use the default path-manager: http://multipath-tcp.org/pmwiki.php/Users/ConfigureMPTCP