Cédric de Launois <delaunois at info dot ucl dot ac dot be>
José Vasconcellos <jvasco at bellatlantic dot net>
Weird problem with RSIP ? IRC :
- irc.freenode.net, 6667, #rsip
- irc.gnome.org, 6667, #gnomemeeting (for problem with RSIP and GnomeMeeting)
Generalities
What is RSIP ? Why use RSIP instead of NAT ?
Is it Free Software ?
What are the features provided by this RSIP server ?
Installation concerns
How to install the RSIP server ?
How to install the user-mode RSIP client ?
How to install the kernel-mode RSIP client ?
How to start and to stop the RSIP server ?
How to start the user-mode RSIP client ?
How to start and stop the kernel-mode RSIP client ?
What is required to run RSIP on the server ?
Are there any other operating systems supported ?
How it works
How does the server work ?
How does the user-mode client work ?
How does the kernel-mode client work ?
How does it work for the ICMP messages (Ping, etc.) ?
What is the difference between a LISTEN and a RSAP request ?
What happens if there is a conflict with the ports used by servers ?
Can I...
Can I use RSIP besides the NAT ?
Can I install a server on my private network ?
Can I install two or more servers on my private network ?
When using RSIP, can I still access a private host using its private address ?
Can I ping my RSIP host ?
Can I get an history of the RSIP activity on the server ?
Can I see which hosts are currently using RSIP on the server ?
Can I see the current state of the kernel-mode RSIP client ?
Troubleshooting
I get a warning with the server : "Conflict with the local ports ..."
"slptool: command not found ..."
"No service:rsip defined!"
"Unable to connect to RSIP server: Connection refused"
"Unable to register with RSIP server"
"Unable to create tunnel (ioctl: No such device)"
"Unable to get port assignments!"
"Unable to set default route"
"Can't send rsip packet. MTU problem."
Some packets seem to vanish, blocking the application !
Server says : "Unknown interface rsip2x1"
Greetings
Who invented RSIP ?
Who implemented the RSIP server ?
Who implemented the user-mode RSIP client ?
Who implemented the kernel-mode RSIP client ?
Generalities
|
What is RSIP ? Why use RSIP instead of NAT ?
|
RSIP is a new protocol which may be used as an alternative to the
NAT/PAT. For example, we may use RSIP to share an Internet
connection between several computers. Imagine you own 3 computers
at home but only 1 Internet connection. NAT/PAT is often used to
share this connection to allow the three computers to surf at the
same time.
NAT maps internal addresses and ports to external addresses
and ports. This mapping is managed entirely by the NAT server;
special ALG modules may be required on the server to handle
application protocols that contain address information. With
RSIP, the server leases external addresses and ports to the
internal nodes. These hosts then send packets destined to
the external network to the RSIP server encapsulated inside a
tunnel. The server forwards packets without modification.
Since RSIP does not modify the packets. Every non-server application
works transparently. We may surf, send email, transfer files etc.
using RSIP from one of our three private computers, even at the
same time. For example, you may use videoconferencing
applications such as
GnomeMeeting. This is not possible with the NAT without a
specific NAT module !
RSIP is defined in RFC3102 "Realm
Specific IP: Framework" and in
RFC3103 "RSIP Protocol Specification".
Yes it is. It is licensed under the GPL.
|
What are the features provided by this RSIP server ?
|
- Supports UDP and TCP protocols
- RSA-IP and RSAP-IP supported with ICMP support
- Supports IP/IP and IP/GRE tunnels
- SLP support
- Runs entirely in USER MODE, no kernel modification needed !
- L2TP tunnels not supported
- QUERY_REQUEST not supported
- Statistics about clients available by doing rsipdctl dump
- Configuration file : /etc/rsip/rsipd.conf
Installation concerns
|
How to install the RSIP server ?
|
You can install the RSIP server by doing make; make install;.
Check the parameters in the configuration file
/etc/rsip/rsipd.conf before starting the server.
If you intend to use SLP, first install it. Then (re)compile the RSIP
server (the Make will automatically compile with SLP support).
To remove RSIP, do make uninstall.
|
How to install the user-mode RSIP client ?
|
The rsip client daemon is a python script that manages the
RSIP protocol and sets up the tunnel to the server. The
rsip client needs to know the address and port of the
rsip server. The easiest way is to run SLP on the server
and install slptool on the client host.
See the install section.
|
How to install the kernel-mode RSIP client ?
|
The kernel-mode client is a kernel module you have to compile and
load into your running kernel. You must have the kernel sources
installed to compile the krsip module. If your kernel linux source
directory is different than /usr/src/linux, you can change it
by editing the Makefile. make will compile the module,
make install will copy the krsip.o file into
/lib/modules/2.4.x/misc/. make uninstall
will remove this file.
To start using the kernel-mode RSIP client, just load the krsip
modules with option ip=<IP of the RSIP server>.
Example :
insmod krsip ip=192.168.1.1.
See the install section for more
informations.
|
How to start and to stop the RSIP server ?
|
If you are using SLP, first make sure the slpd daemon is running before
starting the RSIP server.
You can now use the rsipdctl script to start and stop the server.
To start the server: rsipdctl start, to stop it: rsipdctl stop.
You can obtain the status of the server with rsipdctl dump.
You may also start the server manually: /usr/bin/rsipd &. You
must be root to start it. Stop the server by sending it the TERM signal :
killall rsipd. The server will stop properly. To get manually the
status of the server, send it the USR1 (10) signal. Its status will be dumped
in the /etc/rsipd.stat file.
|
How to start the user-mode RSIP client ?
|
Start the rsip client by typing python rsipclient.py as ROOT.
Use the --help option to list the various options
available; none are required.
|
How to start and stop the kernel-mode RSIP client ?
|
Start the rsip client by loading the krsip module as ROOT.
Don't forget to specify the ip option to tell the module where your
RSIP server is located. See above.
You can check that the module correctly registered with the RSIP
server by using either dmesg or
cat /proc/sys/net/krsip/state.
You can stop using the module bu unloading it : rmmod krsip.
If the module is busy, stop applications which where started after
you loaded the RSIP until the krsip "Used" field given by lsmod
reach zero. In particular, stop server applications like Apache,
GnomeMeeting, etc.
|
What is required to run RSIP on the server ?
|
The rsipd has been tested on Linux 2.4.x. Iptables should be installed
as well as the ipip tunneling kernel module (ip_gre tunneling is optional).
The slpd from http://www.openslp.org
is highly recommended as it will allow easier installation of the client
software, but it is not required.
|
Are there any other operating systems supported ?
|
The rsip client and server have only been tested with Linux
2.4. Modification for other operating systems depends on the
availability of tunneling protocols and forwarding software.
We don't know about implementations on other operating systems
like Windows.
Volunteers to help out in this area are welcomed to contact
the authors.
How it works
|
How does the server work ?
|
When a RSIP host asks for an external access, the RSIP server allocates
an IP address (which is the public IP address of the server) to the host
and a set of ports to use with this address.
A tunnel is then created between the host and the server. The creation of
the tunnel makes a new virtual interface available. This new interface
owns the public IP received from the RSIP server. Two interface (one
private, one (virtual) public) are now available to the client.
Once the tunnel is established, the client sends all the traffic destined
to the Internet through this tunnel.
However, the local traffic is still sent directly on the private
interface.
Packets destined to the Internet are then forwarded by the RSIP server,
without any alteration.
Note that the host really owns the same IP of the server. So, packets
coming from your host really have the IP of the server in their header.
Packets coming from the Internet and destined to a RSIP host are forwarded
to the right RSIP host by examining the destination port, like the NAT.
Except that the RSIP server just forwards by sending through the right
tunnel to the right host. There's no need to alter the packets since the
headers of these packets already contains the right IP address and port.
|
How does the user-mode client work ?
|
The rsip client daemon allocates a block of ports at startup
from the server and uses these for socket connections.
The default is 255 ports. Note that the client modifies
/proc/sys/net/ipv4/ip_local_port_range to that allocated by
the server. This limits the number of sockets the client can
have opened!
|
How does the kernel-mode client work ?
|
The kernel-mode client is a kernel module which automatically
contacts the RSIP server, establish the tunnels, and ask to the RSIP server
the ports needed by running applications. For example, when you start
an Apache server, the module detects the port 80 is requested and
asks to the RSIP server if it is available. If it is, the Apache server
can use port 80 as usual. If not, the Apache server behaves as if
there were another application using port 80.
|
How does it work for the ICMP messages (Ping, etc.) ?
|
When you are on a private RSIP host, you can ping any private or public host. When
pinging a public host, packets are processed by the RSIP server which retains
some useful informations in order to correctly process the future replies. The mechanism
used is the same as the one used by the NAT. This mechanism is necessary since there
is no port number in ICMP messages. So the only way to demultiplex ping messages is by
examining and retaining informations about these ping requests. But this mechanism
does not modify the ICMP packets.
Another mechanism is used for ICMP error packets. Other (very rare) ICMP packets
are simply not processed. These are ICMP Information Request and ICMP Timestamp.
|
What is the difference between a LISTEN and a RSAP request ?
|
More than 65000 ports are available on the server. But only a fraction of
these ports are reserved for RSIP use. We must disctinct two port types :
- Ports used by servers, such as web, ftp, ssh servers, etc.
- Ports used by applications, such as web browsers, etc.
These two ranges of ports are defined in the RSIP config file
/etc/rsip/rsipd.conf. The parameters are called LISTEN_RANGE and
PORT_RANGE.
For this RSIP server implementation, the only difference between these ports is that
the server ports require well-defined port numbers (such as 80, 21, 22 etc.). Ports
used by application don't care about port numbers.
LISTEN requests are used to request a well-defined port number, while RSAP request
are used to reserve a pool of ports to be used by normal applications.
|
What happens if there is a conflict with the ports used by servers ?
|
If a RSIP host requests the use of a server port which has already been allocated to
a server on another host, it will receive a negative answer from the server.
If a well-known port used by the gateway is assigned to a host (remember that there
is no conflict checking for the ports defined in the LISTEN_RANGE), then the port
will be MASKED on the GATEWAY. Every packets with that destination port will be
forwarded to the RSIP host.
Can I...
|
Can I use RSIP besides the NAT ?
|
Yes. A RSIP host will automatically use RSIP. NAT may still be used for
hosts which do not support RSIP. Simply let the rule for
masquerading. Packets with a private address and destined to the Internet
will automatically be NAT'ed, without RSIP interference.
|
Can I install a server on my private network ?
|
Yes. A mechanism similar to the "port forwarding" of the NAT/PAT may be used
with RSIP. You have to use the LISTEN_REQUEST option of your client program.
Example : using the Python script of José Vasconcellos, just do
python rsipclient.py -l 80 to request the port 80.
The server will now forward each packet destined to port 80 to your web server.
|
Can I install two or more servers on my private network ?
|
Like for the NAT, it is not possible to install two servers using the same port.
This means for example you cannot install two WEB servers both running on port 80.
But you may run several servers on different ports, e.g. a WEB server on port
80, another on port 8080, a FTP server on port 21 and a SSH server on port 22.
|
When using RSIP, can I still access my private host using its private address ?
|
Yes ! The RSIP host creates a NEW (virtual) interface (a tunnel interface) having the public
IP address of the RSIP server. The host still owns its (real) private interface for
communications destined to other host of the same private network.
|
Can I ping my RSIP host ?
|
Yes, you can. On a private host, you may ping a RSIP host by using its private address.
On your RSIP host, you may ping another private host by ping the private address of this
host. You may also ping public host from your RSIP host.
BUT it is NOT POSSIBLE for someone the Internet to ping your private RSIP host.
Incoming ICMP requests destined to a RSIP host are simply dropped by the RSIP server.
|
Can I get an history of the RSIP activity ?
|
The RSIP server uses the syslog facility to log all sound informations about RSIP
activity. You can tune the level of informations you want to see in the logs by
defining the LOG_LEVEL option in the config file /etc/rsip/rsipd.conf.
|
Can I see which hosts are currently using RSIP ?
|
A file contains all informations about the RSIP hosts : /etc/rsip/rsipd.stat.
This file is dumped when sending signal USR1 to the server and looks like this :
RSIP server status file. Thu Jun 20 18:06:54 2002
Client Leased Address STATE ID BID LT RLT TUNNEL PROTO PORTS
192.168.0.2 130.104.229.82 ASSIGNED 00001 00001 00593 00594 rsip1x1 TCP 22(1)
192.168.0.2 130.104.229.82 ASSIGNED 00001 00002 00594 00594 rsip1x1 TCP 8192...(255)
192.168.0.3 130.104.229.82 ASSIGNED 00002 00001 00057 00087 rsip2x1 TCP 80(1)
192.168.0.3 130.104.229.82 ASSIGNED 00002 00002 00058 00087 rsip2x1 TCP 10240...(255)
This means that the private host 192.168.0.2 is using RSIP and received ID 0001
and must extend its register lease time (RLT) in 594 seconds from now.
It used TCP to register with the server and made two requests, for which
it received two 'binds'. A bind is a set of couples .
The IP address received by the client is here 130.104.229.82. The client requested
port 22 for its first bind, and ports 8192 to 8446 for its second bind. The value
shown inside parentheses is the number of ports for this bind.
Each bind has a "Bind ID" (which is shown under header BID) and a lease time (LT)
shown in seconds. In order to keep its bind, the client must extend it before
the lease time expires.
The name of the tunnel interface towards that client is rsip1x1.
|
Can I see the current state of the kernel-mode RSIP client ?
|
If you are using the kernel-mode RSIP client, its state is available by
reading file /proc/sys/net/krsip/state.
STATE CLIENT ID RLT PROTO SERVER PORT TUNNEL
assigned 7 172 udp 192.168.0.1 4555 rsip
LEASED ADDRESS PORTS BIND ID LEASE TIME USED
130.104.229.82 8192-8446 1 25 1
130.104.229.82 80 2 43 1
130.104.229.82 1720 4 172 1
130.104.229.82 5000 5 49 1
130.104.229.82 5001 6 50 1
130.104.229.82 5002 7 51 1
130.104.229.82 5003 8 52 1
RULES (policy ACCEPT)
I6010-6010
This example shows which ports are used when an Apache server is
running and when a call with GnomeMeeting is in progress. The example
also shows a port (6010) ignored by RSIP. RSIP won't be used for
this port.
Troubleshooting
|
I get a warning : "Conflict with the local ports ..."
|
Two ranges of ports are defined when using RSIP. The first range, defined by the 'PORT_RANGE'
option of the RSIP config file (/etc/rsip/rsipd.conf), specifies the ports that can be
used by the RSIP hosts. The second range, defined in
/proc/sys/net/ipv4/ip_local_port_range,
specifies the ports that can used by an application running on the RSIP gateway itself.
These two ranges must be distinct, otherwise conflicts may appear since a same port could then
be used twice : by an application running on the RSIP gateway and by an another application
on a RSIP host.
To avoid this, change the 'PORT_RANGE' option in the RSIP config file
/etc/rsip/rsipd.conf and set it to a range that does not conflict with the one
defined in /proc/sys/net/ipv4/ip_local_port_range.
Note that there is no check for conflicts about the ports defined by the 'LISTEN_RANGE'
option.
|
"slptool: command not found ..."
|
The SLP service is not properly installed. SLP is optional, so you can
use the -s option of the client to locate the server.
|
"No service:rsip defined!"
|
The client failed to locate the RSIP server. Check that :
- The RSIP server is started
- The SLP server is running. You may sometimes need to restart SLP.
- The RSIP server is compiled with SLP support (this is not always
the case with packages). If you are not sure, recompile the server
and check that SLP is installed and that the file
/usr/include/slp.h is present. The server should compile with option
_HAVE_SLP.
- Your network is correctly set up.
|
"Unable to connect to RSIP server: Connection refused"
|
The client failed to connect to RSIP server. Check that :
- The RSIP server is started.
- Your network is correctly set up.
- Your firewall rules do not block port 4555.
- The port configured in the config file /etc/rsip/rsipd.conf is
the right one (4555 by default).
- You connect to the server through its internal interface. Check
that the INT_IF option of the config file is set to the name
of your internal interface. Client using the external interface
of the server are not allowed to use RSIP.
|
"Unable to register with RSIP server"
|
The client failed to register with RSIP server. Check that :
- The value of the MAX_CLIENTS option is not too low. If it is
set to 0 and if you only own one public IP address
(from your ISP), then at most 5 clients will be allowed to
register with the RSIP server. You can increase this value.
|
"Unable to create tunnel (ioctl: No such device)"
|
The client failed to establish the tunnel with the RSIP server.
First check that the IPIP tunneling module is loaded : do iptunnel, if
you don't see anything, then try modprobe ipip.
If modprobe failed, check that the ipip.o module is available with your kernel. If
not, then compile your kernel with the IP tunneling option selected.
|
"Unable to get port assignments!"
|
The client did not receive the resources from the server.
- Check that some resources are still available. Remember that only
one client may ask the full port range of the server using RSA-IP.
This may be the origin of the lack of resources.
- Check that the resource you received is a valid one. If you server
received a public IP address from the ISP, then the client should
also receive this public address from the RSIP server. If you
do not get the right address, then you probably have to check the
POOL, INT_IF and EXT_IF options of the config file.
- It is also possible that the resource couldn't be assigned because
the server encounter an error. For example, the server won't
assign the resource if it can't establish an IPIP tunnel with
the client. In all cases, check the log files to see if the server
reported an error.
|
"Unable to set default route"
|
The client failed to correctly establish the tunnel and/or the default route to
the server. This can happen because there already exist an IPIP tunnel with the
name 'rsip' (e.g. because the client has been manually killed).
Check that a tunnel named 'rsip' does not exist : iptunnel.
If there exist one, delete it : iptunnel del rsip.
|
"Can't send rsip packet. MTU problem."
|
The MTU of the RSIP tunnel is not well configured. This MTU should be
lower than the MTU of the external interface of the gateway. The MTU of the
server end of the tunnel must be greater than the client end of the tunnel.
Example : if the MTU of your external interface is 1500 :
- Set MTU to 1480 in /etc/rsip/rsipd.conf
- Start the rsipclient with option -m 1400
|
Some packets seem to vanish, blocking the application !
|
This may be due to the MTU of the rsip interface on the client. This MTU should be
lower than the MTU of the external interface of the gateway. The MTU of the
server end of the tunnel must be greater than the client end of the tunnel.
Example : if the external interface of your gateway is ppp0 with a MTU of 1432,
then :
- Set MTU to 1412 in /etc/rsip/rsipd.conf
- Start the rsipclient with option -m 1412
|
Server says : "Unknown interface rsip2x1"
|
The server can't establish the tunnel with the client. This error is probably
caused by the existence of another IPIP tunnel between the server and the client.
To solve the problem :
- Stop the server.
- Type "iptunnel" as root in a terminal. Check that no other
IPIP tunnel with a name starting with "rsip" exists.
- If yes, remove it with "iptunnel del rsip2x1" (or another
tunnel name).
- Restart the server.
Greetings
RSIP is an experimental protocol defined by the Network Working Group of The
Internet Society (RFC 3102, 3103 and 3104).
The authors of this protocol are : M. Borella, D. Grabelsky, J. Lo,
G. Montenegro and K. Taniguchi.
Copyright (C) The Internet Society (2001). All Right Reserved.
|
Who implemented the RSIP server ?
|
The creator of this premier implementation of a RSIP server for Linux,
and currently the unique developer, is Cédric de Launois
(delaunois at info dot ucl dot ac dot be).
He initiated the project on the
21 september 2001 at the Université Catholique de Louvain in Belgium
(http://www.ucl.ac.be).
He is the main author of this F.A.Q.
|
Who implemented the user-mode RSIP client ?
|
The creator of the RSIP client is José Vasconcellos
(jvasco at bellatlantic dot net).
He is the principal contributor to the RSIP server and to this F.A.Q.
|
Who implemented the kernel-mode RSIP client ?
|
The creator of the kernel-mode RSIP client and its unique developer is
Cédric de Launois.
