Re: [Handle-info] Option to configure bind address for outgoing connections?

To: Robert Tupelo-Schneck <schneck@cnri.reston.va.us>

Subject: Re: [Handle-info] Option to configure bind address for outgoing connections?

From: Jasper Bedaux <J.Bedaux@uva.nl>

Date: Fri, 28 Oct 2022 13:51:58 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uva.nl; dmarc=pass action=none header.from=uva.nl; dkim=pass header.d=uva.nl; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NqNVdHz1upOf9+ssjST9mDw8fTsDEvdYTGvo8ULfmvI=; b=J7qm6+DmrdBpUHxB9O5FU/HLg3MEPLE7jo/WtC1jG+1xp1dG/ivq3Gae9u/cDwkoJ23NBVNV3mLS+lFpLVMvOo+neXAoBJEy5OWAjgqneyeNUMN0TtvW536er49ED31y3OXshEAtZVBuyWVJspUKZHYQNzZ4O5QUvqFdWn/TGVd4NfifeU9BXPQHOMtad5c7B5k7DHuM66LpJvIRwzD/N/OW7daj9Qi9Stg9XORht1TL/b10FmGCDJ2fllQIILl9el9n8w1cAFJD7jSNxT9b1r3U3Wi6QiDRNgD4M6goPmvZBAqt2ceWEMicIaX4OegS6R/2mxZRO31Mk5p5k67YFg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jW15QivqU1/GTUT9T2NeJV1gb7Z6uJeJaHXJteMB3Odnup+kg+Q04GAsH7BXgvppHeEQLUqgQ+Qyjd/15XuuIPCrGmXc976GVXhS3OXuAIy9/iE6dI2V37SNfMAnwvGVUgAZ9AHyf+0DFjoRqRSQne1wepyZTJbslNytNOie1AJVA71LxUnXuE4zcLhJ9OC2tZxMYFmpiL3a8dYGDiiPydyK8J4VzRdfJ/WlGT0ZU6q54IgwtcuTjsEXTHiwnXSB2Co072Ciqe3NdwUkR+zDOAytViVfifnmuByFrt6hIGmRH/w9OHfS4xE86ciS7gBqxRD8U14Yym8MDKdDGzT//Q==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uva.nl;

Cc: "handle-info@cnri.reston.va.us" <handle-info@cnri.reston.va.us>

Delivered-to: handle-info-archive@cnriweb-cogent.cnri.reston.va.us

Delivered-to: handle-info@cnriweb.cnri.reston.va.us

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uva.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NqNVdHz1upOf9+ssjST9mDw8fTsDEvdYTGvo8ULfmvI=; b=f20DWL+oAC0HbiWyMO8wsrIsh+rPAfWHW+PvqTNGg5o1Tm53J2NdHp0NxGVssBOAEL3KV/H3ZsJfwapwvyn/yoAyIcmRuqIS20LrphoFkIb+krix3I124vBf+7r8nLTGpn6SAWpULZ5TCAcZ8RUcL1LC82TVbML9xT3h9b1QqkI=

In-reply-to: <CAHk2pN0LGeMZjBKph7ZZ=LcN3ec5WrN=pxKFM9ttsJ2OpSZC0w@mail.gmail.com>

List-archive: <http://www.handle.net/mailman/private/handle-info/>

List-help: <mailto:handle-info-request@cnri.reston.va.us?subject=help>

List-id: "Handle.Net Mailing List" <handle-info.cnri.reston.va.us>

List-post: <mailto:handle-info@cnri.reston.va.us>

List-subscribe: <http://www.handle.net/mailman/listinfo/handle-info>, <mailto:handle-info-request@cnri.reston.va.us?subject=subscribe>

List-unsubscribe: <http://www.handle.net/mailman/options/handle-info>, <mailto:handle-info-request@cnri.reston.va.us?subject=unsubscribe>

References: <AS1PR10MB5675E63477132D509B7435B8FF569@AS1PR10MB5675.EURPRD10.PROD.OUTLOOK.COM> <CAHk2pN0LGeMZjBKph7ZZ=LcN3ec5WrN=pxKFM9ttsJ2OpSZC0w@mail.gmail.com>

Sender: handle-info-bounces@cnri.reston.va.us

Thread-index: AQHY2Dbkqo8zEYO0cUa92FbJNnULDK4j8UKA

Thread-topic: [Handle-info] Option to configure bind address for outgoing connections?

I implemented the preload option as described in the link from stackoverflow you suggested.

Some notes for others who might want to use this:

After server management installed /usr/local/lib64/bind.so, I am now starting the Handle server with

BIND_ADDR="xxx.xxx.xxx.xxx" LD_PRELOAD=/usr/local/lib64/bind.so /path/to/handle/handle-9.3.0/bin/hdl-server /path/to/server/config

(where xxx.xxx.xxx.xxx is the IP address I needed to use for outgoing connections)

Because this does not work for IPv6 and not for UDP, I changed the following:

In config.dct in the server configuration directory: added

"no_udp_resolution" = "yes"

In handle-9.3.0/bin/hdl: added

-Djava.net.preferIPv4Stack=true

to the server startup command (line 42) to prevent java from using IPv4 mapped IPv6 addresses.

In order to not be dependent on either making changes to the networking stack or using this bind.so trick, it think it would be nice if there would be an option to configure the IP address of outgoing connections in config.dct in some future version of the Handle server, maybe use the addresses that are configured with bind_address in config.dct as default?

With restrictions on outgoing traffic becoming more common due to tightening security policies I think this might get useful for others too.

Thanks,

Jasper

From: Robert Tupelo-Schneck <schneck@cnri.reston.va.us>
Sent: Tuesday, October 4, 2022 23:18
To: Jasper Bedaux <J.Bedaux@uva.nl>
Cc: handle-info@cnri.reston.va.us
Subject: Re: [Handle-info] Option to configure bind address for outgoing connections?

Unfortunately, there is no existing handle software configuration to set the local IP address used for outgoing connections.

You can change the configuration of your OS / network stack in order to make .61 the default choice for outgoing connections instead of .58.

I came across this technique which might possibly be useful to you: https://stackoverflow.com/questions/33961459/java-set-local-ip-address-without-changing-code

You could also use the techniques in Chapter 10 of http://www.handle.net/tech_manual/HN_Tech_Manual_9.pdf to make it so that you do not need your handle server to make outgoing calls in order to administer your handle server.

Best,

Robert

On Fri, Sep 30, 2022 at 3:36 AM Jasper Bedaux <J.Bedaux@uva.nl> wrote:

Hello all,

In consultation with our security/network/server management departments, we have a separate IP address for a Handle server (ending with .61). The main IP address of this server ends with .58.

Incoming and outgoing traffic is allowed for ports 2641 and 8000 for the IP address ending with .61, but not for the IP address ending with .58. For incoming connections, this is working fine but for outgoing connections, the Handle server tries to initiate connections on the IP address ending with .58, which is not allowed in our network.

Is it possible to configure the Handle server to bind to a certain IP address for OUTGOING connections like this is possible for incoming connections by using "bind_address" in the config.dct?

ss -a | grep hdl-srv

udp   UNCONN     0      0    [::ffff:***.***.***.61]:hdl-srv    *:*

tcp   LISTEN     0      50   [::ffff:***.***.***.61]:hdl-srv    *:*

tcp   CLOSE-WAIT 1      0    [::ffff:***.***.***.61]:hdl-srv    [::ffff:52.32.51.238]:37770

tcp   SYN-SENT   0      1    [::ffff:***.***.***.58]:54304      [::ffff:212.193.120.1]:hdl-srv

In the last line it can be seen the IP address ending with .58 is used for an outgoing connection instead of the desired IP address ending with .61, resulting in our Handle server not being able to setup outgoing connections.

Thanks,

Jasper

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info

_______________________________________________ Handle-Info mailing list Handle-Info@cnri.reston.va.us http://www.handle.net/mailman/listinfo/handle-info