site: Do name resolution on peer-initiated key setup too
The current arrangement locks in the peer address used for key
exchange, for the lifetime of the key.
Most configurations do not have the secnet bind to a particular
address. And secnet takes no particular care about the source address
on its packets. The result is that secnet might reply from a
different address. (Also NAT might cause this effect.)
But (unless the peer is mobile) it is not ideal to use an address
other than the configured address. In particular, if we are mobile
then the network environment, and our routing to the peer, might
change so that the previous source address is not valid. This could
result in an extended failure (of up to the key expiry lifetime).
Arguably this is a configuration error, but there is another reason to
dislike the current behaviour: it has the rather odd property that if
an opponent (or incompetent middlebox) reroutes/NATs the packets
during key exchange, the entire dataflow (at least in one direction)
might end up sent via a bizarre route (or, if the environment changes,
not delivered).
We still want to use the peer's address as a hint though: otherwise we
would have to stall a peer-initiated key setup while resolution takes
place.
So:
* Initiate a peer address lookup when we get an incoming MSG1, if we
have a configured name or address. We do this in parallel with the
key exchange. (As a result it is possible that a peer address
lookup might complete well after the key exchange has finished.)
* Except, when the incoming MSG1 has crossed with ours, we must
already have done the the lookup so do not do it again.
* And, in this latter case do not unconditionally record the incoming
peer address; instead, treat it as a "msgok"; otherwise we might
unjustifiably overwrite an address we got from the configuration
with the incoming address from the packet.
* The two points above mean moving the transport_record_peer from
process_msg1 into its two call sites, since the logic now needs to
differ between them.
* Handle the results of the MSG1-prompted peer address lookup. In
SITE_RESOLVE we do as we did before. In most of the other states,
we record the address and use it for future communications.
* If the resolution fails with a non-mobile site, keep using the
apparently-working peer address(es).
* With a mobile site the currently working peer address might stop
working so this is not acceptable. In that case, make arrangements
that a failed peer address lookup will be retried quickly - but in
the meantime, there is no need to halt the packet flow.
* If the attempt to submit the resolver query fails, just use the
apparent peer address as before.
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
Changes in v2:
* Run the resolution after entering the new state, not before.
Otherwise if we get the callback reentrantly, we get a bit
confused.
~mdw / secnet / commit