Hello, I am a happy user of tinc in multiple environments. It is beautiful - thank you! Today I noticed that a network of around 20 nodes suffered from a flood of packages like the following: IP6 fe80::e4eb:74b6:57e0:c3e1 > ff02::2: ICMP6, router solicitation, length 8 For the first ten hours these nodes (even the usually completely idle ones) have seen incoming traffic of around 1 MBit/s in the tinc interface (and approximately the double bandwidth on the interface that carries the tinc traffic). Then the traffic on the tinc interface went straight (within minutes or maybe even seconds) up to around 6 MBit/s. The level of incoming traffic for each node sticked there (and caused a bit of delays and packet loss) for five hours, until I restarted tinc on one (randomly picked) node. The traffic for all hosts went immediately down to idle. Most of the tinc nodes use v1.0.31. Two use v1.0.24 and a single old one is still at v1.0.19. (Debian stable, oldstable and oldoldstable) The tinc daemon I restarted was using v1.0.31. The setup is running unchanged (besides a few nodes being added from time to time) for a few years. The only non-default setting is "ReplayWindow 32". I am quite confident (due to the age and stability of the setup), that this was just a rare occasion, that will likely never happen again. But maybe someone has an idea, whether this is a tinc related issue and if there is something that could be done to prevent such a situation. Thank you for your time! Cheers, Lars
On Fri, Dec 14, 2018 at 11:13:55PM +0100, Lars Kruse wrote:> I am a happy user of tinc in multiple environments. It is beautiful - thank you! > > Today I noticed that a network of around 20 nodes suffered from a flood of > packages like the following: > IP6 fe80::e4eb:74b6:57e0:c3e1 > ff02::2: ICMP6, router solicitation, length 8[...]> Most of the tinc nodes use v1.0.31. Two use v1.0.24 and a single old one is > still at v1.0.19. > (Debian stable, oldstable and oldoldstable)The issue looks like a routing loop. In fact, there was a bug in versions before 1.0.24 that might cause routing loops of broadcast packets, and this router sollicitation message is in fact a broadcast packet. If possible, upgrade to a newer version of Debian. If that's not possible, try installing tinc 1.0.24 from wheezy-backports.> The setup is running unchanged (besides a few nodes being added from time to > time) for a few years. The only non-default setting is "ReplayWindow 32".That is quite certainly not the cause of this issue.> I am quite confident (due to the age and stability of the setup), that this was > just a rare occasion, that will likely never happen again. > But maybe someone has an idea, whether this is a tinc related issue and if > there is something that could be done to prevent such a situation.I recommend upgrading the node running 1.0.19. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20181218/075ed535/attachment.sig>
Hello, Am Tue, 18 Dec 2018 17:14:23 +0100 schrieb Guus Sliepen <guus at tinc-vpn.org>:> I recommend upgrading the node running 1.0.19.I will do so. Thank you! Cheers, Lars -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: Digitale Signatur von OpenPGP URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20181219/ec956ce7/attachment.sig>
Hello, Am Tue, 18 Dec 2018 17:14:23 +0100 schrieb Guus Sliepen <guus at tinc-vpn.org>:> > Most of the tinc nodes use v1.0.31. Two use v1.0.24 and a single old one is > > still at v1.0.19. > > (Debian stable, oldstable and oldoldstable) > > The issue looks like a routing loop. In fact, there was a bug in > versions before 1.0.24 that might cause routing loops of broadcast > packets, and this router sollicitation message is in fact a broadcast > packet. If possible, upgrade to a newer version of Debian. If that's not > possible, try installing tinc 1.0.24 from wheezy-backports.meanwhile I upgraded the older nodes (1.0.19 and 1.0.24), thus the minimum tinc version in the network is now 1.0.31. Sadly the router solicitation message flood still appears from time to time :( The router solicitation packets are (at the moment) sent by five of the 30 connected nodes. This subset of the nodes seems to be random (different locations, different roles in the VPN). After restarting the tinc process on two of the tinc nodes (in this case: not the five sources mentioned above) the flood disappears. After taking another look at the possible tinc.conf settings, I contemplate to deviate from the default values of the following settings: * DecrementTTL -> "yes" * Broadcast -> "direct" This involves a bit of work (at least "Broadcast" is documented to require the same settings on all nodes). Thus I would appreciate any suggestions before approaching these changes. Cheers, Lars