feat: Fix and enable connection migration tests

[larseggert]

No description provided.

[larseggert]

[larseggert]

@marten-seemann this is ready from my side.

[larseggert]

@marten-seemann conflict is resolved.

[mxinden]

@larseggert @marten-seemann I assume this is still worth merging?

[PiotrSikora]

FYI, using this branch with ghcr.io/mozilla/neqo-qns@3d9351310775 doesn't fix those tests for me:

~/quic-interop-runner$ ./run.py --client neqo --server neqo --test rebind-port,rebind-addr,connectionmigration
Saving logs to logs_2024-12-16T13:47:18.
Server: neqo. Client: neqo. Running test case: rebind-port
First server packet on new path (('193.167.100.100', 443), ('193.167.0.100', 57607)) did not contain a PATH_CHALLENGE frame
Layer QUIC
:       QUIC Connection information
        Expert Info (Note/Protocol): Unknown QUIC connection. Missing Initial Packet or migrated connection?
        Unknown QUIC connection. Missing Initial Packet or migrated connection?
        Severity level: Note
        Group: Protocol
        Packet Length: 27
        QUIC Short Header
        0... .... = Header Form: Short Header (0)
        .1.. .... = Fixed Bit: True
        ..0. .... = Spin Bit: False
        Remaining Payload: eb2b35fd069b454771d4d5e4fd39a8a4ba0bd1dda2b803ce7148

Server: neqo. Client: neqo. Running test case: rebind-addr
At least one QUIC packet could not be decrypted
First server packet on new path (('193.167.100.100', 443), ('193.167.0.224', 59022)) did not contain a PATH_CHALLENGE frame
Layer QUIC
:       QUIC Connection information
        Expert Info (Note/Protocol): Unknown QUIC connection. Missing Initial Packet or migrated connection?
        Unknown QUIC connection. Missing Initial Packet or migrated connection?
        Severity level: Note
        Group: Protocol
        Packet Length: 27
        QUIC Short Header
        0... .... = Header Form: Short Header (0)
        .0.. .... = Fixed Bit: False
        ..1. .... = Spin Bit: True
        Remaining Payload: a761a55f7de9efd6426cb682a15da8fdb421917c52c7a905bb56

At least one QUIC packet could not be decrypted
Server saw these client addresses: {'193.167.0.3', '193.167.0.100', '193.167.0.224', '193.167.0.71'}
At least one QUIC packet could not be decrypted
First server packet on new path (('193.167.100.100', 443), ('193.167.0.224', 59022)) did not contain a PATH_CHALLENGE frame
Layer QUIC
:       QUIC Connection information
        Expert Info (Note/Protocol): Unknown QUIC connection. Missing Initial Packet or migrated connection?
        Unknown QUIC connection. Missing Initial Packet or migrated connection?
        Severity level: Note
        Group: Protocol
        Packet Length: 27
        QUIC Short Header
        0... .... = Header Form: Short Header (0)
        .0.. .... = Fixed Bit: False
        ..1. .... = Spin Bit: True
        Remaining Payload: a761a55f7de9efd6426cb682a15da8fdb421917c52c7a905bb56

Server: neqo. Client: neqo. Running test case: connectionmigration
First server packet on new path (('fd00:cafe:cafe:100::100', 4443), ('fd00:cafe:cafe::100', 34845)) did not contain a PATH_CHALLENGE frame
Layer QUIC
:       QUIC Connection information
        Expert Info (Note/Protocol): Unknown QUIC connection. Missing Initial Packet or migrated connection?
        Unknown QUIC connection. Missing Initial Packet or migrated connection?
        Severity level: Note
        Group: Protocol
        Packet Length: 1232
        QUIC Short Header
        0... .... = Header Form: Short Header (0)
        .0.. .... = Fixed Bit: False
        ..0. .... = Spin Bit: False
        Remaining Payload: e3678bf3e8f6161e0d4c19bc5b3f81094ee54443d31cab012f1c631b139fef9358a1689f…

Server saw these client addresses: {'fd00:cafe:cafe::100'}
Server saw only a single client IP address in use; test broken?
First server packet on new path (('fd00:cafe:cafe:100::100', 4443), ('fd00:cafe:cafe::100', 34845)) did not contain a PATH_CHALLENGE frame
Layer QUIC
:       QUIC Connection information
        Expert Info (Note/Protocol): Unknown QUIC connection. Missing Initial Packet or migrated connection?
        Unknown QUIC connection. Missing Initial Packet or migrated connection?
        Severity level: Note
        Group: Protocol
        Packet Length: 1232
        QUIC Short Header
        0... .... = Header Form: Short Header (0)
        .0.. .... = Fixed Bit: False
        ..0. .... = Spin Bit: False
        Remaining Payload: e3678bf3e8f6161e0d4c19bc5b3f81094ee54443d31cab012f1c631b139fef9358a1689f…

Server saw these client addresses: {'fd00:cafe:cafe::100'}
Server saw only a single client IP address in use; test broken?
Run took 0:02:34.886099
+------+-------------+
|      |     neqo    |
+------+-------------+
| neqo |     ✓()     |
|      |     ?()     |
|      | ✕(BP,BA,CM) |
+------+-------------+

Also, s2n-quic has an alternative patch (https://github.com/aws/s2n-quic/blob/main/.github/interop/runner.patch) for those tests, and the rebinding tests are passing for me across multiple implementations when using it.

[larseggert]

Those Wireshark messages probably mean you have a version installed that is too old.

[PiotrSikora]

Those Wireshark messages probably mean you have a version installed that is too old.

$ tshark -v
TShark (Wireshark) 4.0.17 (Git v4.0.17 packaged as 4.0.17-0+deb12u1).
$ editcap -v
Editcap (Wireshark) 4.0.17 (Git v4.0.17 packaged as 4.0.17-0+deb12u1).

Isn't that recent enough? README.md says 3.5.0+... Although, I'm not sure what the "development version" refers to, I suspect it's a leftover from before 4.x stable release?

[larseggert]

Those are too old. I use TShark (Wireshark) 4.5.0rc0-830-g10cc65f41321 (v4.5.0rc0-830-g10cc65f41321). at the moment.

[PiotrSikora]

Thanks, that helped!

However, even with tshark built from the same commit as yours (10cc65f413214ee66ea0d2a3cb04c6ef65bad079), the connection migration test still fails for me:

$ ./run.py --client neqo --server neqo --test rebind-port,rebind-addr,connectionmigration
Saving logs to logs_2024-12-17T03:40:19.
Server: neqo. Client: neqo. Running test case: rebind-port
Server saw these paths used: {(('193.167.100.100', 443), ('193.167.0.100', 44827)), (('193.167.100.100', 443), ('193.167.0.100', 57607)), (('193.167.100.100', 443), ('193.167.0.100', 59022))}
Server: neqo. Client: neqo. Running test case: rebind-addr
Server saw these paths used: {(('193.167.100.100', 443), ('193.167.0.224', 59022)), (('193.167.100.100', 443), ('193.167.0.71', 39968)), (('193.167.100.100', 443), ('193.167.0.100', 55795)), (('193.167.100.100', 443), ('193.167.0.3', 38910))}
Server saw these client addresses: {'193.167.0.100', '193.167.0.71', '193.167.0.224', '193.167.0.3'}
Server saw these paths used: {(('193.167.100.100', 443), ('193.167.0.224', 59022)), (('193.167.100.100', 443), ('193.167.0.71', 39968)), (('193.167.100.100', 443), ('193.167.0.100', 55795)), (('193.167.100.100', 443), ('193.167.0.3', 38910))}
Server: neqo. Client: neqo. Running test case: connectionmigration
Server saw these paths used: {(('fd00:cafe:cafe:100::100', 443), ('fd00:cafe:cafe::100', 43132)), (('fd00:cafe:cafe:100::100', 4443), ('fd00:cafe:cafe::100', 43132))}
Server saw these client addresses: {'fd00:cafe:cafe::100'}
Server saw only a single client IP address in use; test broken?
Server saw these paths used: {(('fd00:cafe:cafe:100::100', 443), ('fd00:cafe:cafe::100', 43132)), (('fd00:cafe:cafe:100::100', 4443), ('fd00:cafe:cafe::100', 43132))}
Server saw these client addresses: {'fd00:cafe:cafe::100'}
Server saw only a single client IP address in use; test broken?
Run took 0:02:57.550582
+------+----------+
|      |   neqo   |
+------+----------+
| neqo | ✓(BP,BA) |
|      |   ?()    |
|      |  ✕(CM)   |
+------+----------+

Note that the connection migration test is using IPv6, and not IPv4 like the rebinding tests (which are passing now), so perhaps the issue is elsewhere?

[marten-seemann]

Do we need to bump the WIRESHARK_CACHEKEY to build a new Wireshark version?

[marten-seemann]

This doesn't look correct.

[larseggert]

It is? You gotta indent the block if it's supposed to be part of the bullet.

[marten-seemann]

I see, makes sense.

[marten-seemann]

This means that implementation that don't implement path validation yet (like quic-go 🤐) will fail this test. I think this is ok, since this is a mandatory part of the RFC. Might lead to some complaints though if the matrix is getting slightly more red as a result of merging this PR.

[larseggert]

No progress without pain.

[lxin]

@larseggert I'm adding the ConnectionMigration testcase for linux QUIC where I set preferred address ('193.167.100.100', 444) from server side. However, it failed in the check() of TestCaseAddressRebinding (the parent class of TestCaseConnectionMigration):

        if len(ips) <= 1:
            logging.info(
                "Server saw only a single client IP address in use; test broken?"
            )
            return TestResult.FAILED

I don't understand why it requires client source IP address to change after the client migrates its dest IP to the server's preferred address? did you see any description on RFC for that?

Thanks.

[larseggert]

The assumption for TestCaseConnectionMigration was that the client needs to migrate from IPv4 to IPv6 (or vice versa) to the server's preferred address, because the simulator nodes only have one IPv4 and IPv6 address each.

I don't think simply sending another IPv4 address in the TPs works?

[lxin]

oh, I see the idea now, thanks for the explanation.

[larseggert]

@lxin actually, I misremembered and what I said was incorrect. TestCaseConnectionMigration should work when migrating to a preferred address of the same address family as is currently used. The server can just use a different port for the preferred address. So there is a bug.

[lxin]

@larseggert I think it’s fine for this to serve as a test case for QUIC’s ability to handle migration between IPv4 and IPv6 (or vice versa), just the test case description should explicitly states this purpose. Otherwise, users might interpret it as writing migration within the same address family, as I initially did.

This is a great test case for migration across address families to me. It might be worth requiring implementations to fully support this scenario, rather than simply 'working around' it by limiting the migration to the same address family to pass the test case.

BTW, with the fix you posted in #419, it now passes in the Linux QUIC when the migration involves only a port change.

Thanks.