Always use HELLO to contact, and we now confirm newly learned paths via a two-way handshake to prevent half-connects.

node/Peer.cpp

@@ -25,6 +25,8 @@
  * LLC. Start here: http://www.zerotier.com/
  */
 
+#include "../version.h"
+
 #include "Constants.hpp"
 #include "Peer.hpp"
 #include "Node.hpp"
@@ -68,38 +70,48 @@ void Peer::received(
 	_lastReceive = now;
 
 	if (!hops) {
+		bool pathIsConfirmed = false;
+
 		/* Learn new paths from direct (hops == 0) packets */
 		{
 			unsigned int np = _numPaths;
-
-			bool havePath = false;
 			for(unsigned int p=0;p<np;++p) {
 				if (_paths[p].address() == remoteAddr) {
 					_paths[p].received(now,linkDesperation);
-					havePath = true;
+					pathIsConfirmed = true;
 					break;
 				}
 			}
 
-			if (!havePath) {
-				Path *slot = (Path *)0;
-				if (np < ZT_PEER_MAX_PATHS) {
-					// Add new path
-					slot = &(_paths[np++]);
-				} else {
-					// Replace oldest non-fixed path
-					uint64_t slotLRmin = 0xffffffffffffffffULL;
-					for(unsigned int p=0;p<ZT_PEER_MAX_PATHS;++p) {
-						if ((!_paths[p].fixed())&&(_paths[p].lastReceived() <= slotLRmin)) {
-							slotLRmin = _paths[p].lastReceived();
-							slot = &(_paths[p]);
+			if (!pathIsConfirmed) {
+				if ((verb == Packet::VERB_OK)&&(inReVerb == Packet::VERB_HELLO)) {
+					// Learn paths if they've been confirmed via a HELLO
+					Path *slot = (Path *)0;
+					if (np < ZT_PEER_MAX_PATHS) {
+						// Add new path
+						slot = &(_paths[np++]);
+					} else {
+						// Replace oldest non-fixed path
+						uint64_t slotLRmin = 0xffffffffffffffffULL;
+						for(unsigned int p=0;p<ZT_PEER_MAX_PATHS;++p) {
+							if ((!_paths[p].fixed())&&(_paths[p].lastReceived() <= slotLRmin)) {
+								slotLRmin = _paths[p].lastReceived();
+								slot = &(_paths[p]);
+							}
 						}
 					}
-				}
-				if (slot) {
-					slot->init(remoteAddr,false);
-					slot->received(now,linkDesperation);
-					_numPaths = np;
+					if (slot) {
+						slot->init(remoteAddr,false);
+						slot->received(now,linkDesperation);
+						_numPaths = np;
+						pathIsConfirmed = true;
+					}
+				} else {
+					/* If this path is not known, send a HELLO. We don't learn
+					 * paths without confirming that a bidirectional link is in
+					 * fact present, but any packet that decodes and authenticates
+					 * correctly is considered valid. */
+					attemptToContactAt(RR,remoteAddr,linkDesperation,now);
 				}
 			}
 		}
@@ -107,7 +119,7 @@ void Peer::received(
 		/* Announce multicast groups of interest to direct peers if they are
 		 * considered authorized members of a given network. Also announce to
 		 * supernodes and network controllers. */
-		if ((now - _lastAnnouncedTo) >= ((ZT_MULTICAST_LIKE_EXPIRE / 2) - 1000)) {
+		if ((pathIsConfirmed)&&((now - _lastAnnouncedTo) >= ((ZT_MULTICAST_LIKE_EXPIRE / 2) - 1000))) {
 			_lastAnnouncedTo = now;
 
 			const bool isSupernode = RR->topology->isSupernode(_id.address());
@@ -144,6 +156,37 @@ void Peer::received(
 		_lastMulticastFrame = now;
 }
 
+void Peer::attemptToContactAt(const RuntimeEnvironment *RR,const InetAddress &atAddress,unsigned int linkDesperation,uint64_t now)
+{
+	Packet outp(_id.address(),RR->identity.address(),Packet::VERB_HELLO);
+	outp.append((unsigned char)ZT_PROTO_VERSION);
+	outp.append((unsigned char)ZEROTIER_ONE_VERSION_MAJOR);
+	outp.append((unsigned char)ZEROTIER_ONE_VERSION_MINOR);
+	outp.append((uint16_t)ZEROTIER_ONE_VERSION_REVISION);
+	outp.append(now);
+
+	RR->identity.serialize(outp,false);
+
+	switch(atAddress.ss_family) {
+		case AF_INET:
+			outp.append((unsigned char)ZT_PROTO_DEST_ADDRESS_TYPE_IPV4);
+			outp.append(atAddress.rawIpData(),4);
+			outp.append((uint16_t)atAddress.port());
+			break;
+		case AF_INET6:
+			outp.append((unsigned char)ZT_PROTO_DEST_ADDRESS_TYPE_IPV6);
+			outp.append(atAddress.rawIpData(),16);
+			outp.append((uint16_t)atAddress.port());
+			break;
+		default:
+			outp.append((unsigned char)ZT_PROTO_DEST_ADDRESS_TYPE_NONE);
+			break;
+	}
+
+	outp.armor(_key,false); // HELLO is sent in the clear
+	RR->node->putPacket(atAddress,outp.data(),outp.size(),linkDesperation);
+}
+
 void Peer::addPath(const Path &newp)
 {
 	unsigned int np = _numPaths;
@@ -200,9 +243,7 @@ void Peer::resetWithinScope(const RuntimeEnvironment *RR,InetAddress::IpScope sc
 	while (x < np) {
 		if (_paths[x].address().ipScope() == scope) {
 			if (_paths[x].fixed()) {
-				Packet outp(_id.address(),RR->identity.address(),Packet::VERB_NOP);
-				outp.armor(_key,false);
-				RR->node->putPacket(_paths[x].address(),outp.data(),outp.size(),_paths[x].desperation(now));
+				attemptToContactAt(RR,_paths[x].address(),_paths[x].desperation(now),now);
 				_paths[y++] = _paths[x]; // keep fixed paths
 			}
 		} else {

node/Peer.hpp

@@ -169,6 +169,19 @@ public:
 		return (Path *)0;
 	}
 
+	/**
+	 * Send a HELLO to this peer at a specified physical address
+	 *
+	 * This does not update any statistics. It's used to send initial HELLOs
+	 * for NAT traversal and path verification.
+	 *
+	 * @param RR Runtime environment
+	 * @param atAddress Destination address
+	 * @param linkDesperation Link desperation
+	 * @param now Current time
+	 */
+	void attemptToContactAt(const RuntimeEnvironment *RR,const InetAddress &atAddress,unsigned int linkDesperation,uint64_t now);
+
 	/**
 	 * @return All known direct paths to this peer
 	 */

node/Switch.cpp

@@ -265,20 +265,6 @@ void Switch::send(const Packet &packet,bool encrypt)
 	}
 }
 
-#if 0
-void Switch::sendHELLO(const Address &dest)
-{
-	Packet outp(dest,RR->identity.address(),Packet::VERB_HELLO);
-	outp.append((unsigned char)ZT_PROTO_VERSION);
-	outp.append((unsigned char)ZEROTIER_ONE_VERSION_MAJOR);
-	outp.append((unsigned char)ZEROTIER_ONE_VERSION_MINOR);
-	outp.append((uint16_t)ZEROTIER_ONE_VERSION_REVISION);
-	outp.append(Utils::now());
-	RR->identity.serialize(outp,false);
-	send(outp,false);
-}
-#endif
-
 bool Switch::unite(const Address &p1,const Address &p2,bool force)
 {
 	if ((p1 == RR->identity.address())||(p2 == RR->identity.address()))
@@ -370,19 +356,10 @@ bool Switch::unite(const Address &p1,const Address &p2,bool force)
 void Switch::contact(const SharedPtr<Peer> &peer,const InetAddress &atAddr,unsigned int maxDesperation)
 {
 	TRACE("sending NAT-t message to %s(%s)",peer->address().toString().c_str(),atAddr.toString().c_str());
+	const uint64_t now = RR->node->now();
 
-	uint64_t now = RR->node->now();
-
-	Packet outp(peer->address(),RR->identity.address(),Packet::VERB_NOP);
-	outp.armor(peer->key(),false);
-
-	/* Note that we don't log this as a "sent" packet or send it via the peer's
-	 * normal send() path. That's because this is a trial packet to an
-	 * unconfirmed address.
-	 *
-	 * First attempt is always at desperation zero. Then we escalate to max
-	 * before escalating through other NAT-t strategies. */
-	RR->node->putPacket(atAddr,outp.data(),outp.size(),0);
+	// Attempt to contact at zero desperation first
+	peer->attemptToContactAt(RR,atAddr,0,now);
 
 	// If we have not punched through after this timeout, open refreshing can of whupass
 	{
@@ -454,14 +431,13 @@ unsigned long Switch::doTimerTasks()
 				} else {
 					// Nope, nothing yet. Time to kill some kittens.
 
-					Packet outp(qi->peer->address(),RR->identity.address(),Packet::VERB_NOP);
-					outp.armor(qi->peer->key(),false);
-
 					switch(qi->strategyIteration++) {
+
 						case 0: {
 							// First strategy: rifle method: direct packet to known port
-							RR->node->putPacket(qi->inaddr,outp.data(),outp.size(),qi->currentDesperation);
+							qi->peer->attemptToContactAt(RR,qi->inaddr,qi->currentDesperation,now);
 						}	break;
+
 						case 1: {
 							// Second strategy: shotgun method up: try a few ports above
 							InetAddress tmpaddr(qi->inaddr);
@@ -469,9 +445,10 @@ unsigned long Switch::doTimerTasks()
 							for(int i=0;i<9;++i) {
 								if (++p > 0xffff) break;
 								tmpaddr.setPort((unsigned int)p);
-								RR->node->putPacket(tmpaddr,outp.data(),outp.size(),qi->currentDesperation);
+								qi->peer->attemptToContactAt(RR,tmpaddr,qi->currentDesperation,now);
 							}
 						}	break;
+
 						case 2: {
 							// Third strategy: shotgun method down: try a few ports below
 							InetAddress tmpaddr(qi->inaddr);
@@ -479,7 +456,7 @@ unsigned long Switch::doTimerTasks()
 							for(int i=0;i<3;++i) {
 								if (--p < 1024) break;
 								tmpaddr.setPort((unsigned int)p);
-								RR->node->putPacket(tmpaddr,outp.data(),outp.size(),qi->currentDesperation);
+								qi->peer->attemptToContactAt(RR,tmpaddr,qi->currentDesperation,now);
 							}
 
 							// Escalate link desperation after all strategies attempted
@@ -493,6 +470,7 @@ unsigned long Switch::doTimerTasks()
 								qi->strategyIteration = 0;
 							}
 						}	break;
+
 					}
 
 					qi->fireAtTime = now + ZT_NAT_T_TACTICAL_ESCALATION_DELAY;