Merge branch 'master' into marcfrei/directfetcher

Author: marcfrei

.golangci.yml

@@ -91,6 +91,13 @@ linters:
       - linters:
           - goheader
         path: pkg/scrypto/cms
+      - linters:
+          - goheader
+        path: pkg/stun/stun.go
+      - linters:
+          - goheader
+          - lll
+        path: pkg/stun/stun_test.go
     paths:
       - third_party$
       - builtin$

MODULE.bazel

@@ -89,6 +89,7 @@ use_repo(
     "com_github_stretchr_testify",
     "com_github_uber_jaeger_client_go",
     "com_github_vishvananda_netlink",
+    "com_tailscale",
     "in_gopkg_yaml_v3",
     "org_go4_netipx",
     "org_golang_google_grpc",

acceptance/common/docker.py

@@ -147,6 +147,21 @@ def execute(self, container, *args, **kwargs):
         return self("exec", "-T", "--user", user, container,
                     "timeout", "1m", *args, **kwargs)
 
+    def execute_detached(self, container, *args, **kwargs):
+        """Executes an arbitrary command in the specified container.
+
+        There's one minute timeout on the command so that tests don't get stuck.
+
+        Args:
+            container: the name of the container to execute the command in.
+
+        Returns:
+            The output of the command.
+        """
+        user = kwargs.get("user", "{}:{}".format(os.getuid(), os.getgid()))
+        return self("exec", "-d", "-T", "--user", user, container,
+                    "timeout", "1m", *args, **kwargs)
+
     def execute_as_user(self, container, user, *args, **kwargs):
         """Executes an arbitrary command in the specified container.
 

demo/stun/BUILD.bazel

@@ -0,0 +1,16 @@
+load("//:scion.bzl", "scion_go_binary")
+load("//acceptance/common:topogen.bzl", "topogen_test")
+
+topogen_test(
+    name = "test",
+    src = "test.py",
+    args = [
+        "--executable=test-client:$(location //demo/stun/test-client)",
+        "--executable=test-server:$(location //demo/stun/test-server)",
+    ],
+    data = [
+        "//demo/stun/test-client",
+        "//demo/stun/test-server",
+    ],
+    topo = "//topology:tiny.topo",
+)

demo/stun/README.md

@@ -0,0 +1,61 @@
+# STUN Demo
+
+This demo shows how a client can use the STUN server implemented at the border router to determine
+its public facing IP address and port. This is useful in case the client is behind a NAT.
+The client can subsequently use the determined address as its source address in SCION communication,
+to ensure returning packets are correctly delivered back to the client.
+
+Note that this demo handles all STUN requests manually to demonstrate how STUN can be implemented in
+SCION. Our goal is to integrate these requests in client libraries so that STUN is performed
+automatically and transparently for clients.
+
+The topology used in the demo is based on `tiny.topo`.
+An additional network was added to simulate a private network inside AS `1-ff00:0:110`.
+An additional docker container was added to act as a NAT between the private network and the AS.
+The tester container was moved to within the private network.
+
+```text
+                +-----------------------+
+                |    AS 1-ff00:0:110    |
+                |   +---------------+   |
+                |   |    Tester     |   |
+                |   | (Test-Server) |   |
+                |   +---------------+   |
+                +-----------------------+
+                        |        |
+                        |        |
+          --------------+        +--------------
+          |                                    |
+  +--------------------------+   +-------------------------+
+  |     AS 1-ff00:0:111      |   |     AS 1-ff00:0:112     |
+  |                          |   |                         |
+  |                          |   |                         |
+  |  +--------------------+  |   |                         |
+  |  |  Private Subnet    |  |   |                         |
+  |  |    +----------+    |  |   |                         |
+  |  |    |    NAT   |    |  |   |                         |
+  |  |    +----------+    |  |   |                         |
+  |  |          |         |  |   |                         |
+  |  |  +---------------+ |  |   |                         |
+  |  |  |    Tester     | |  |   |                         |
+  |  |  | (Test-Client) | |  |   |                         |
+  |  |  +---------------+ |  |   |                         |
+  |  +--------------------+  |   +-------------------------+
+  +--------------------------+
+```
+
+The demo consists of two components: A test client and a test server.
+The test client is run within the private network behind the NAT,
+and tries to contact the test server, which is located in a different AS.
+
+The demo consists of the following steps:
+
+1. Generate, configure, and start topology
+2. Client performs STUN request
+3. Client sends SCION packet using determined public address to server
+4. Server replies with a SCION packet to client
+
+## Run the Demo
+
+1. [Set up the development environment](https://docs.scion.org/en/latest/build/setup.html)
+2. `bazel test --test_output=streamed --cache_test_results=no //demo/stun:test`

demo/stun/test-client/BUILD.bazel

@@ -0,0 +1,20 @@
+load("@rules_go//go:def.bzl", "go_binary", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["main.go"],
+    importpath = "github.com/scionproto/scion/demo/stun/test-client",
+    visibility = ["//visibility:private"],
+    deps = [
+        "//pkg/addr:go_default_library",
+        "//pkg/daemon:go_default_library",
+        "//pkg/snet:go_default_library",
+        "@com_tailscale//net/stun:go_default_library",
+    ],
+)
+
+go_binary(
+    name = "test-client",
+    embed = [":go_default_library"],
+    visibility = ["//visibility:public"],
+)

demo/stun/test-client/main.go

@@ -0,0 +1,195 @@
+// Copyright 2026 ETH Zurich
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"net"
+	"net/netip"
+	"os"
+
+	"github.com/scionproto/scion/pkg/addr"
+	"github.com/scionproto/scion/pkg/daemon"
+	"github.com/scionproto/scion/pkg/snet"
+
+	"tailscale.com/net/stun"
+)
+
+// This demo handles all STUN requests manually to demonstrate how STUN can be implemented in SCION.
+// Normal clients should use a client library that performs STUN automatically and transparently.
+
+func main() {
+	log.SetOutput(os.Stdout)
+	log.Println("Client running")
+
+	var daemonAddr string
+	var localAddr snet.UDPAddr
+	var remoteAddr snet.UDPAddr
+	var data string
+	flag.StringVar(&daemonAddr, "daemon", "127.0.0.1:30255", "Daemon address")
+	flag.Var(&localAddr, "local", "Local address")
+	flag.Var(&remoteAddr, "remote", "Remote address")
+	flag.StringVar(&data, "data", "", "Data")
+	flag.Parse()
+
+	ctx := context.Background()
+
+	dc, err := daemon.NewService(daemonAddr).Connect(ctx)
+	if err != nil {
+		log.Fatalf("Failed to create SCION daemon connector: %v", err)
+	}
+
+	ps, err := dc.Paths(ctx, remoteAddr.IA, localAddr.IA, daemon.PathReqFlags{Refresh: true})
+	if err != nil {
+		log.Fatalf("Failed to lookup paths: %v", err)
+	}
+
+	if len(ps) == 0 {
+		log.Fatalf("No paths to %v available", remoteAddr.IA)
+	}
+
+	log.Printf("Available paths to %v:", remoteAddr.IA)
+	for _, p := range ps {
+		log.Printf("\t%v", p)
+	}
+
+	sp := ps[0]
+
+	log.Printf("Selected path to %v:", remoteAddr.IA)
+	log.Printf("\t%v", sp)
+
+	conn, err := net.ListenUDP("udp", localAddr.Host)
+	if err != nil {
+		log.Fatalf("Failed to bind UDP connection: %v", err)
+	}
+	defer conn.Close()
+
+	var srcAddr netip.Addr
+	var srcPort uint16
+	var ok bool
+
+	nextHop := sp.UnderlayNextHop()
+	if nextHop == nil && remoteAddr.IA.Equal(localAddr.IA) {
+		srcAddr, ok = netip.AddrFromSlice(localAddr.Host.IP)
+		if !ok {
+			log.Fatalf("Unexpected source address type")
+		}
+
+		// No STUN needed in intra-AS case
+		srcAddr = srcAddr.Unmap()
+		srcPort = uint16(localAddr.Host.Port)
+		nextHop = remoteAddr.Host
+	} else if nextHop == nil {
+		log.Fatalf("Unexpected nil next hop for inter-AS path")
+	} else {
+
+		// Generate and send STUN request
+		txID := stun.NewTxID()
+		req := stun.Request(txID)
+
+		var stunAddr = *nextHop
+		stunAddr.Port = 30042
+
+		_, err = conn.WriteToUDP(req, &stunAddr)
+		if err != nil {
+			log.Fatalf("Failed to write STUN packet: %v", err)
+		}
+
+		log.Print("Sent STUN request")
+
+		buf := make([]byte, 1024)
+		n, _, err := conn.ReadFromUDPAddrPort(buf[:])
+		if err != nil {
+			log.Fatalf("Failed to read STUN packet: %v", err)
+		}
+
+		// Read STUN response
+		tid, stunResp, err := stun.ParseResponse(buf[:n])
+		if err != nil {
+			log.Fatalf("Failed to decode STUN packet: %v", err)
+		}
+		if tid != txID {
+			log.Fatalf("txid mismatch: got %v, want %v", tid, txID)
+		}
+
+		log.Printf("Received STUN response: %v", stunResp)
+
+		// Use address and port from STUN response as source address and port
+		srcAddr = stunResp.Addr()
+		srcPort = stunResp.Port()
+	}
+
+	// Continue with normal SCION communication
+
+	dstAddr, ok := netip.AddrFromSlice(remoteAddr.Host.IP)
+	if !ok {
+		log.Fatal("Unexpected destination address type")
+	}
+	dstAddr = dstAddr.Unmap()
+
+	pkt := &snet.Packet{
+		PacketInfo: snet.PacketInfo{
+			Source: snet.SCIONAddress{
+				IA:   localAddr.IA,
+				Host: addr.HostIP(srcAddr),
+			},
+			Destination: snet.SCIONAddress{
+				IA:   remoteAddr.IA,
+				Host: addr.HostIP(dstAddr),
+			},
+			Path: sp.Dataplane(),
+			Payload: snet.UDPPayload{
+				SrcPort: srcPort,
+				DstPort: uint16(remoteAddr.Host.Port),
+				Payload: []byte(data),
+			},
+		},
+	}
+
+	err = pkt.Serialize()
+	if err != nil {
+		log.Fatalf("Failed to serialize SCION packet: %v", err)
+	}
+
+	_, err = conn.WriteTo(pkt.Bytes, nextHop)
+	if err != nil {
+		log.Fatalf("Failed to write SCION packet: %v", err)
+	}
+
+	pkt.Prepare()
+	n, _, err := conn.ReadFrom(pkt.Bytes)
+	if err != nil {
+		log.Fatalf("Failed to read SCION packet: %v", err)
+	}
+	pkt.Bytes = pkt.Bytes[:n]
+
+	err = pkt.Decode()
+	if err != nil {
+		log.Fatalf("Failed to decode SCION packet: %v", err)
+	}
+
+	pld, ok := pkt.Payload.(snet.UDPPayload)
+	if !ok {
+		log.Fatal("Failed to read packet payload")
+	}
+
+	response := string(pld.Payload)
+	log.Printf("Received data: \"%s\"", response)
+	if data != response {
+		log.Fatalf("Assertion failed: response does not match sent data")
+	}
+}

demo/stun/test-server/BUILD.bazel

@@ -0,0 +1,15 @@
+load("@rules_go//go:def.bzl", "go_binary", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["main.go"],
+    importpath = "github.com/scionproto/scion/demo/stun/test-server",
+    visibility = ["//visibility:private"],
+    deps = ["//pkg/snet:go_default_library"],
+)
+
+go_binary(
+    name = "test-server",
+    embed = [":go_default_library"],
+    visibility = ["//visibility:public"],
+)