magicsock: spray some normal packets after a handshake

In particular, this is designed to catch the case where a
HandshakeInitiation packet is sent out but the intermediate NATs
have not been primed, so the packet passes over DERP.
In that case, the HandshakeResponse also comes back over DERP,
and the connection proceeds via DERP without ever trying to punch
through the NAT.

With this change, the HandshakeResponse (which was sprayed out
and so primed one NAT) triggers an UpdateDst, which triggers
the extra spray logic.

(For this to work, there has to be an initial supply of packets
to send on to a peer for the three seconds following a handshake.
The source of these packets is left as a future exercise.)

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
This commit is contained in:
David Crawshaw 2020-02-21 22:20:31 -05:00 committed by David Crawshaw
parent 8696b17b5f
commit a6ad3c46e2

View File

@ -387,11 +387,37 @@ func shouldSprayPacket(b []byte) bool {
// //
// It also returns as's current roamAddr, if any. // It also returns as's current roamAddr, if any.
func appendDests(dsts []*net.UDPAddr, as *AddrSet, b []byte) (_ []*net.UDPAddr, roamAddr *net.UDPAddr) { func appendDests(dsts []*net.UDPAddr, as *AddrSet, b []byte) (_ []*net.UDPAddr, roamAddr *net.UDPAddr) {
spray := shouldSprayPacket(b) spray := shouldSprayPacket(b) // true for handshakes
now := time.Now()
as.mu.Lock() as.mu.Lock()
defer as.mu.Unlock() defer as.mu.Unlock()
// Spray logic.
//
// After exchanging a handshake with a peer, we send some outbound
// packets to every endpoint of that peer. These packets are spaced out
// over several seconds to make sure that our peer has an opportunity to
// send its own spray packet to us before we are done spraying.
//
// Multiple packets are necessary because we have to both establish the
// NAT mappings between two peers *and use* the mappings to switch away
// from DERP to a higher-priority UDP endpoint.
const sprayPeriod = 3 * time.Second
const sprayFreq = 250 * time.Millisecond
if spray {
as.lastSpray = now
as.stopSpray = now.Add(sprayPeriod)
} else if now.Before(as.stopSpray) {
// We are in the spray window. If it has been sprayFreq since we
// last sprayed a packet, spray this packet.
if now.Sub(as.lastSpray) >= sprayFreq {
spray = true
as.lastSpray = now
}
}
// Pick our destination address(es).
roamAddr = as.roamAddr roamAddr = as.roamAddr
if roamAddr != nil { if roamAddr != nil {
dsts = append(dsts, roamAddr) dsts = append(dsts, roamAddr)
@ -775,7 +801,7 @@ type AddrSet struct {
publicKey key.Public // peer public key used for DERP communication publicKey key.Public // peer public key used for DERP communication
addrs []net.UDPAddr // ordered priority list (low to high) provided by wgengine addrs []net.UDPAddr // ordered priority list (low to high) provided by wgengine
mu sync.Mutex // guards roamAddr and curAddr mu sync.Mutex // guards following fields
// roamAddr is non-nil if/when we receive a correctly signed // roamAddr is non-nil if/when we receive a correctly signed
// WireGuard packet from an unexpected address. If so, we // WireGuard packet from an unexpected address. If so, we
@ -789,6 +815,12 @@ type AddrSet struct {
// address a valid packet has been received from so far. // address a valid packet has been received from so far.
// If no valid packet from addrs has been received, curAddr is -1. // If no valid packet from addrs has been received, curAddr is -1.
curAddr int curAddr int
// stopSpray is the time after which we stop spraying packets.
stopSpray time.Time
// lastSpray is the lsat time we sprayed a packet.
lastSpray time.Time
} }
var noAddr = &net.UDPAddr{ var noAddr = &net.UDPAddr{