LinkState
Go back

Was it rp_filter, nftables, or policy routing

Introduction to Asymmetric Packet Loss

Asymmetric packet loss refers to the phenomenon where packets are lost or dropped in one direction of a network connection, but not in the other. This can occur due to various reasons, including misconfigured network devices, firewall rules, or routing tables. Understanding the causes of asymmetric packet loss is crucial for maintaining reliable and efficient network communication.

Causes and Importance of Investigating Asymmetric Packet Loss

Asymmetric packet loss can significantly impact network performance, leading to reduced throughput, increased latency, and packet retransmissions. It can be challenging to diagnose, as it may not be immediately apparent from network logs or monitoring tools. Resolving asymmetric packet loss requires a thorough understanding of network configuration and behavior, making it an excellent opportunity to refine network design and optimization skills.

Understanding the Plausible Culprits

Three plausible culprits for asymmetric packet loss are:

  1. Reverse Path Filtering: a security feature that checks the source IP address of incoming packets against the routing table to ensure that the packet arrived from the expected interface.
  2. Namespace-Local Firewall Rules: firewall rules configured within a specific namespace, which can affect packet flow between namespaces.
  3. Policy Routing Tables: routing tables configured to route packets based on specific policies, such as source IP address or packet marks.

Reverse Path Filtering

Overview

Reverse path filtering (RPF) is a security feature that checks the source IP address of incoming packets against the routing table to ensure that the packet arrived from the expected interface. If the packet’s source IP address does not match the routing table, the packet is dropped.

Example Configuration and Code

To demonstrate RPF, consider a simple network setup with two namespaces, ns1 and ns2, connected by a virtual Ethernet pair, veth1 and veth2.

# Create namespaces and virtual Ethernet pair
ip netns add ns1
ip netns add ns2
ip link add veth1 type veth peer name veth2

# Configure IP addresses and routing tables
ip netns exec ns1 ip addr add 10.0.0.1/24 dev veth1
ip netns exec ns2 ip addr add 10.0.0.2/24 dev veth2
ip netns exec ns1 ip route add default via 10.0.0.2 dev veth1
ip netns exec ns2 ip route add default via 10.0.0.1 dev veth2

# Enable RPF on ns1
ip netns exec ns1 sysctl -w net.ipv4.conf.veth1.rp_filter=1

Namespace-Local Firewall Rules

Overview

Namespace-local firewall rules refer to the firewall rules configured within a specific namespace, which can affect packet flow between namespaces.

Example Configuration and Code

To demonstrate namespace-local firewall rules, consider the same network setup as before.

# Configure firewall rules on ns1
ip netns exec ns1 iptables -A INPUT -s 10.0.0.2 -j ACCEPT
ip netns exec ns1 iptables -A OUTPUT -d 10.0.0.2 -j DROP

# Configure firewall rules on ns2
ip netns exec ns2 iptables -A INPUT -s 10.0.0.1 -j DROP
ip netns exec ns2 iptables -A OUTPUT -d 10.0.0.1 -j ACCEPT

Policy Routing Tables

Overview

Policy routing tables refer to the routing tables configured to route packets based on specific policies, such as source IP address or packet marks.

Example Configuration and Code

To demonstrate policy routing tables, consider the same network setup as before.

# Configure policy routing tables on ns1
ip netns exec ns1 ip rule add from 10.0.0.1 table 100
ip netns exec ns1 ip route add default via 10.0.0.2 dev veth1 table 100

# Configure policy routing tables on ns2
ip netns exec ns2 ip rule add from 10.0.0.2 table 200
ip netns exec ns2 ip route add default via 10.0.0.1 dev veth2 table 200

Troubleshooting Asymmetric Packet Loss

To troubleshoot asymmetric packet loss, follow a structured approach:

  1. Identify the affected network path and packet flow.
  2. Inspect the routing tables, firewall rules, and policy routing tables.
  3. Use network debugging tools to capture and analyze packet traffic.
  4. Analyze network logs to identify packet loss patterns.

Using Network Debugging Tools

To identify packet loss, use tcpdump to capture packet traffic on both ends of the network path.

# Capture packet traffic on ns1
ip netns exec ns1 tcpdump -i veth1 -n -vv -s 0 -c 100

# Capture packet traffic on ns2
ip netns exec ns2 tcpdump -i veth2 -n -vv -s 0 -c 100

Testing and Isolating the Real Boundary

To isolate the real boundary, design test scenarios that exercise the network path and packet flow.

Executing Test Scenarios and Analyzing Results

To execute test scenarios, use ping or iperf to generate packet traffic and measure packet loss.

# Generate packet traffic from ns1 to ns2
ip netns exec ns1 ping -c 100 10.0.0.2

# Measure packet loss from ns1 to ns2
ip netns exec ns1 iperf -c 10.0.0.2 -t 10

Conclusion and Recommendations

In conclusion, asymmetric packet loss can be caused by various factors, including reverse path filtering, namespace-local firewall rules, and policy routing tables. To troubleshoot and resolve asymmetric packet loss, follow a structured approach that includes identifying the affected network path, inspecting routing tables and firewall rules, and using network debugging tools to capture and analyze packet traffic.

Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email
Previous Post
veth, TAP, and TUN under small-packet load
Next Post
Userspace routers change the TUN packet path