Resolve multiple addresses for remote responder.
This CL updates IkeSessionStateMachine to resolve multiple addresses for
the remote peer in the Initial State. This is necessary for MOBIKE,
where the device may start on a v6 Network then transition to a v4-only
Network. If no v4 addresses are resolved, this transition is not
possible.
Bug: 149954916
Bug: 172060298
Bug: 175317600
Test: atest FrameworksIkeTests
Change-Id: If44a9f0cee6efaa119c2d098227e2cda956c4a18
diff --git a/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java b/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java
index de248a6..496dd7a 100644
--- a/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java
+++ b/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java
@@ -68,6 +68,7 @@
import android.net.IpSecManager.ResourceUnavailableException;
import android.net.IpSecManager.SpiUnavailableException;
import android.net.IpSecManager.UdpEncapsulationSocket;
+import android.net.LinkProperties;
import android.net.Network;
import android.net.NetworkCapabilities;
import android.net.NetworkRequest;
@@ -161,6 +162,7 @@
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.net.Inet4Address;
+import java.net.Inet6Address;
import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
@@ -436,6 +438,11 @@
/** Local port assigned on device. Initialized in Initial State. */
@VisibleForTesting int mLocalPort;
+ /** Available remote addresses that are v4. Resolved in Initial State. */
+ @VisibleForTesting final List<Inet4Address> mRemoteAddressesV4 = new ArrayList<>();
+ /** Available remote addresses that are v6. Resolved in Initial State. */
+ @VisibleForTesting final List<Inet6Address> mRemoteAddressesV6 = new ArrayList<>();
+
/** Indicates if both sides support NAT traversal. Set in IKE INIT. */
@VisibleForTesting boolean mSupportNatTraversal;
/** Indicates if local node is behind a NAT. */
@@ -1205,9 +1212,21 @@
@Override
public void enterState() {
try {
- // TODO(b/149954916): Do DNS resolution asynchronously and support resolving
- // multiple addresses.
- mRemoteAddress = mNetwork.getByName(mIkeSessionParams.getServerHostname());
+ // TODO(b/149954916): Do DNS resolution asynchronously
+ InetAddress[] allRemoteAddresses =
+ mNetwork.getAllByName(mIkeSessionParams.getServerHostname());
+
+ logd("Resolved addresses for peer: " + Arrays.toString(allRemoteAddresses));
+
+ for (InetAddress remoteAddress : allRemoteAddresses) {
+ if (remoteAddress instanceof Inet4Address) {
+ mRemoteAddressesV4.add((Inet4Address) remoteAddress);
+ } else {
+ mRemoteAddressesV6.add((Inet6Address) remoteAddress);
+ }
+ }
+
+ setRemoteAddress();
boolean isIpv4 = mRemoteAddress instanceof Inet4Address;
if (isIpv4) {
@@ -1245,6 +1264,33 @@
}
/**
+ * Set the remote address for the peer.
+ *
+ * <p>Prefers IPv6 addresses if:
+ *
+ * <ul>
+ * <li>an IPv6 address is known for the peer, and
+ * <li>the current underlying Network has a global (non-link local) IPv6 address available
+ * </ul>
+ *
+ * Otherwise, an IPv4 address will be used.
+ */
+ private void setRemoteAddress() {
+ LinkProperties linkProperties = mConnectivityManager.getLinkProperties(mNetwork);
+ if (!mRemoteAddressesV6.isEmpty() && linkProperties.hasGlobalIpv6Address()) {
+ // TODO(b/175348096): randomly choose from available addresses
+ mRemoteAddress = mRemoteAddressesV6.get(0);
+ } else {
+ if (mRemoteAddressesV4.isEmpty()) {
+ throw new IllegalArgumentException("No valid IPv4 or IPv6 addresses for peer");
+ }
+
+ // TODO(b/175348096): randomly choose from available addresses
+ mRemoteAddress = mRemoteAddressesV4.get(0);
+ }
+ }
+
+ /**
* Idle represents a state when there is no ongoing IKE exchange affecting established IKE SA.
*/
class Idle extends LocalRequestQueuer {
@@ -5408,11 +5454,13 @@
throw new IllegalStateException("MOBIKE must be enabled to update the Network");
}
- // TODO(b/172060298): prefer IPv6 once Responder addresses are cached
- boolean isIpv4 = mRemoteAddress instanceof Inet4Address;
Network oldNetwork = mNetwork;
mNetwork = network;
+ setRemoteAddress();
+
+ boolean isIpv4 = mRemoteAddress instanceof Inet4Address;
+
try {
// Only switch the IkeSocket if the underlying Network actually changes. This may not
// always happen (ex: the underlying Network loses the current local address)
diff --git a/tests/iketests/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachineTest.java b/tests/iketests/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachineTest.java
index cb5ae8d..6d49189 100644
--- a/tests/iketests/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachineTest.java
+++ b/tests/iketests/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachineTest.java
@@ -96,6 +96,8 @@
import android.annotation.Nullable;
import android.app.AlarmManager;
import android.content.Context;
+import android.net.LinkAddress;
+import android.net.LinkProperties;
import android.net.Network;
import android.net.eap.EapSessionConfig;
import android.net.ipsec.ike.ChildSaProposal;
@@ -203,6 +205,7 @@
import java.io.IOException;
import java.net.Inet4Address;
+import java.net.Inet6Address;
import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
@@ -356,6 +359,8 @@
private IkeUdp6Socket mSpyIkeUdp6Socket;
private IkeSocket mSpyCurrentIkeSocket;
+ private LinkAddress mMockLinkAddressGlobalV6;
+
private IkeNattKeepalive mMockIkeNattKeepalive;
private TestLooper mLooper;
@@ -752,6 +757,10 @@
eq(mMockDefaultNetwork), eq(false /* isIpv4 */), any(), anyInt()))
.thenReturn(LOCAL_ADDRESS_V6);
+ mMockLinkAddressGlobalV6 = mock(LinkAddress.class);
+ when(mMockLinkAddressGlobalV6.getAddress()).thenReturn(UPDATED_LOCAL_ADDRESS_V6);
+ when(mMockLinkAddressGlobalV6.isGlobalPreferred()).thenReturn(true);
+
mMockEapAuthenticatorFactory = mock(IkeEapAuthenticatorFactory.class);
mMockEapAuthenticator = mock(EapAuthenticator.class);
doReturn(mMockEapAuthenticator)
@@ -1414,7 +1423,7 @@
.build();
mIkeSessionStateMachine = makeAndStartIkeSession(ikeParams);
- verify(mMockDefaultNetwork).getByName(REMOTE_HOSTNAME);
+ verify(mMockDefaultNetwork).getAllByName(REMOTE_HOSTNAME);
}
@Test
@@ -4800,7 +4809,6 @@
IkeSessionParams mockSessionParams = mock(IkeSessionParams.class);
when(mockSessionParams.getServerHostname()).thenReturn(REMOTE_HOSTNAME);
- when(mMockDefaultNetwork.getByName(REMOTE_HOSTNAME)).thenReturn(REMOTE_ADDRESS);
RuntimeException cause = new RuntimeException();
when(mockSessionParams.getSaProposalsInternal()).thenThrow(cause);
@@ -5423,8 +5431,15 @@
// IKE client always supports NAT-T. So the peer decides if both sides support NAT-T.
mIkeSessionStateMachine.mSupportNatTraversal = doesPeerSupportNatt;
- mIkeSessionStateMachine.mLocalAddress = isIpv4 ? LOCAL_ADDRESS : LOCAL_ADDRESS_V6;
- mIkeSessionStateMachine.mRemoteAddress = isIpv4 ? REMOTE_ADDRESS : REMOTE_ADDRESS_V6;
+ if (isIpv4) {
+ mIkeSessionStateMachine.mLocalAddress = LOCAL_ADDRESS;
+ mIkeSessionStateMachine.mRemoteAddress = REMOTE_ADDRESS;
+ mIkeSessionStateMachine.mRemoteAddressesV4.add(REMOTE_ADDRESS);
+ } else {
+ mIkeSessionStateMachine.mLocalAddress = LOCAL_ADDRESS_V6;
+ mIkeSessionStateMachine.mRemoteAddress = REMOTE_ADDRESS_V6;
+ mIkeSessionStateMachine.mRemoteAddressesV6.add(REMOTE_ADDRESS_V6);
+ }
if (doesPeerSupportNatt && isIpv4) {
// Assume NATs are detected on both sides
@@ -5596,9 +5611,23 @@
private Network mockNewNetworkAndAddress(boolean isIpv4) throws Exception {
Network newNetwork = mock(Network.class);
- InetAddress expectedRemoteAddress = isIpv4 ? REMOTE_ADDRESS : REMOTE_ADDRESS_V6;
- InetAddress injectedLocalAddress =
- isIpv4 ? UPDATED_LOCAL_ADDRESS : UPDATED_LOCAL_ADDRESS_V6;
+ InetAddress expectedRemoteAddress;
+ InetAddress injectedLocalAddress;
+ if (isIpv4) {
+ expectedRemoteAddress = REMOTE_ADDRESS;
+ injectedLocalAddress = UPDATED_LOCAL_ADDRESS;
+
+ mIkeSessionStateMachine.mRemoteAddressesV4.add((Inet4Address) expectedRemoteAddress);
+ } else {
+ expectedRemoteAddress = REMOTE_ADDRESS_V6;
+ injectedLocalAddress = UPDATED_LOCAL_ADDRESS_V6;
+ mIkeSessionStateMachine.mRemoteAddressesV6.add((Inet6Address) expectedRemoteAddress);
+
+ LinkProperties linkProperties = new LinkProperties();
+ linkProperties.addLinkAddress(mMockLinkAddressGlobalV6);
+ when(mMockConnectManager.getLinkProperties(eq(newNetwork))).thenReturn(linkProperties);
+ }
+
when(mMockIkeLocalAddressGenerator.generateLocalAddress(
eq(newNetwork), eq(isIpv4), eq(expectedRemoteAddress), anyInt()))
.thenReturn(injectedLocalAddress);
diff --git a/tests/iketests/src/java/com/android/internal/net/ipsec/ike/IkeSessionTestBase.java b/tests/iketests/src/java/com/android/internal/net/ipsec/ike/IkeSessionTestBase.java
index 5d14a04..7528c4c 100644
--- a/tests/iketests/src/java/com/android/internal/net/ipsec/ike/IkeSessionTestBase.java
+++ b/tests/iketests/src/java/com/android/internal/net/ipsec/ike/IkeSessionTestBase.java
@@ -50,6 +50,7 @@
import java.net.Inet4Address;
import java.net.Inet6Address;
+import java.net.InetAddress;
import java.util.concurrent.Executor;
public abstract class IkeSessionTestBase {
@@ -109,10 +110,12 @@
.newWakeLock(anyInt(), argThat(tag -> tag.contains(LOCAL_REQUEST_WAKE_LOCK_TAG)));
mMockDefaultNetwork = mock(Network.class);
- doReturn(REMOTE_ADDRESS).when(mMockDefaultNetwork).getByName(REMOTE_HOSTNAME);
- doReturn(REMOTE_ADDRESS)
+ doReturn(new InetAddress[] {REMOTE_ADDRESS})
.when(mMockDefaultNetwork)
- .getByName(REMOTE_ADDRESS.getHostAddress());
+ .getAllByName(REMOTE_HOSTNAME);
+ doReturn(new InetAddress[] {REMOTE_ADDRESS})
+ .when(mMockDefaultNetwork)
+ .getAllByName(REMOTE_ADDRESS.getHostAddress());
mMockSocketKeepalive = mock(SocketKeepalive.class);
