Help with intercepts

Hi Scarething,

When I initiate a connection request using a domain name, the SDK intercepts the request with the resolved IPv4 address and then maps it to the associated service through a reverse lookup.

After reviewing the service topology and tunnel logs, I’m curious about how the data flows specifically. If the tunnel SDK serves as the gateway for both client and service connections, and both the service and public routes are IPv6-based, how does the SDK enable an IPv4 HTTP request packet to traverse an IPv6 link and reach the service?

Thank you for your insights.

Hi @Guardiant314,

All of the OpenZiti tunnelers intercept connections based on the destination IP address of the segment. DNS is really just a layer on top of this, where the tunneler acts as a DNS server (to provide an IP address for e.g. "my-ziti-service.domain"). The tunneler's DNS server returns an IP address that it knows how to intercept (in the 100.64/10 range by default).

I'm not sure I understand your question about IPv4/IPv6... If your OpenZiti service uses a hostname in its intercept.v1 configuration then the IP address for the service is determined by the intercepting tunneler, by way of the previously mentioned DNS server. BTW the tunneler DNS servers currently provide IPv4 answers.

Once the underlay application (the one that is to be intercepted) starts sending packets, those packets will be picked up by the intercepting tunneler. The payloads of those packets will be sent via OpenZiti Edge messages to the hosting tunneler, which establishes its own TCP/IP connection with the underlay server application for sending the payloads to the server.

I'm not sure if this answers your question. I'm reminded of some previous replies that I've made here that may be relevant:

Hi,scarething

Thank you very much for your insights. For the tunneler, the critical factor is the destination address of the packets. After the controller receives a SYN dial request from the client, it locates the best service for the dial request. Then, when the server receives the dial request, the server-side gateway attempts to connect to the service bound to host.v1. Once the connection is established, the three-way handshake is completed. In this process, the entire chain is IPv4-based, including both the service and the public route.

On the client side, I’m using an IPv6 address recorded with intercept.v1 to make an HTTP request, attempting to connect to the host.v1 address, which is IPv4. This appears to involve accessing an IPv4 service using an IPv6 address. My question is, does the netif_shim_output_ip6 function send the SYN request with an IPv6 target address? And how is this packet with an IPv6 destination address routed through the IPv4 public route?

I've moved this to a new topic, it didn't feel like it fit on the other one. I'm not exactly sure what you're trying to do @Guardiant314. Maybe it'll help to reframe the question?