Dubious communication between iPad and iPhone on incoming call

Question

Level 1

23 points

Dubious communication between iPad and iPhone on incoming call

I'm owner of an iPad and an iPhone, both running iOS 8.1.3 although this phenomenon did already appear with earlier iOS versions.

In the following scenario something weird is happening:

My iPad is at home in a private network (192.168.x.0) and has the address 192.168.x.y.
My iPhone is at office in a private network (10.0.1.0) and has the address 10.0.1.z)
Someone is calling me on my iPhone

Now the iPad tries to communicate with my iPhone by sending an ip packet from ip/port 192.168.x.y:57864 to ip/port 10.0.1.z:58590. Normally it is not possible to communicate between private networks directly, i.e. this packet makes no sense and would be discarded by my home router.

In this special case however, there is a VPN connection between my home and my office networks. Thus the packet is not discarded but forwarded by VPN from my home to my office network. The office firewall however is treating this packet as an attack and thus triggering an alarm mail to the admin.

The iPad appears to know the iPhone's address (probably through iCloud) although I'm in my office (together with my iPhone 🙂).
It is trying to communicate with the iPhone using private network addresses which in general is not possible. This is why I suspect that there is a bug somewhere in the FaceTime / telephony protocol.
I could change some of our firewall rules to avoid the alarm mail but that is not the point here.

Can someone explain if the behaviour described above makes sense in any situation or if it's really a bug (as I'm suspecting)?

Mac mini (Late 2012), OS X Mountain Lion (10.8.4)

Posted on Feb 10, 2015 6:03 AM

Reply

Answer 1

wjosten

Level 10

95,369 points

Feb 10, 2015 6:26 AM in response to Hagen-1

Called "Continuity". To turn if off: Settings>FaceTime>iPhone Cellular Calls>Off.

Reply

Answer 2

Hagen-1 Author

Level 1

23 points

Feb 11, 2015 6:14 AM in response to wjosten

Hi wjosten,

thank you very much for your answer, but that is something I already know. As I might want to use the feature when both devices are in the SAME network (e.g. at home), I do not want to turn it on / off when I'm coming / leaving home.

My original question points to a more technical direction: In general, it is not possible to communicate between private networks directly. So sending an ip packet from one private network to another private network is something, the software never should attempt to do - right?

Reply

Answer 3

ChrisJ4203

Level 10

236,363 points

Feb 11, 2015 6:26 AM in response to Hagen-1

Is the VPN connection on your home computer, or through your router? Is this VPN bridging your network, which gives the iPad access to the VPN when you are at home?

Reply

Answer 4

Hagen-1 Author

Level 1

23 points

Feb 11, 2015 6:36 AM in response to ChrisJ4203

It's a site-to-site-VPN connecting my home and my office network realized by the routers. There is no "computer" involved (except the iPad and iPhone). There is no bridge.

Reply

Answer 5

ChrisJ4203

Level 10

236,363 points

Feb 11, 2015 6:45 AM in response to Hagen-1

So your network is always connected to your home network, correct? Since the connection is at the router level, that is probably why the iPad can get through, since it "sees" your iPhone on that network, just like you connecting with your computer. The reason it is setting off the alarm probably has to do with what restrictions you have on the VPN for what it can connect to. I'm not an expert on the VPN, but that would be my guess.

Reply

Answer 6

Hagen-1 Author

Level 1

23 points

Feb 11, 2015 7:27 AM in response to ChrisJ4203

So your network is always connected to your home network, correct?

No, the connection is established on demand - but automatically. So the networks are connected quasi permanently.

Since the connection is at the router level, that is probably why the iPad can get through

Yes, of course.

since it "sees" your iPhone on that network

Hm - I'm not aware of a protocol that gives the iPad knowledge about the VPN connection. To me sending this special ip packet appears either as a bug or as a trial "is there by chance a VPN connection?". If not, any common home router will drop this packet.

The reason it is setting off the alarm probably has to do with what restrictions you have on the VPN for what it can connect to.

Exactly - but that is what I wrote already in my original post.

You should keep in mind that when I'm at office, I cannot pick up my iPad - it's far away. Furthermore private network addresses are not unique. It's possible that two iOS devices are both i a network e.g. 192.168.1.0 - a very common private network - but that these are different networks!

Reply

Answer 7

Feb 11, 2015 7:50 AM in response to Hagen-1

Functionally a VPN bridges 2 independent networks and makes them 1. That is the entire purpose of a VPN.

As such since they are one, any data between them is treated as though its on the same network. The iPad knows that the iPhone is on this same network, as such it can communicate with it for Continuity and getting the calls on the iPad.

There really is nothing wrong with this. Its working as designed. As long as both devices are on the same network, Continuity will work and Calls will ring on the iPad, and there will be communication between the devices.

The real issue here is why the packet is being treated as an attack on the office side. If its coming form a valid VPN connection it should be let through normally.

Reply

Answer 8

Hagen-1 Author

Level 1

23 points

Feb 12, 2015 12:37 AM in response to Phil0124

I do not agree with your answer in several ways. First a VPN does not bridge something but is connecting different networks by a routing policy.

Second: Can you prove the thesis that the iPad "knows" that the iPhone is in the same network (e.g. by refering to some protocol specification)? I'm not aware of such a protocol.

Third: There is a second, more complex scenario, in which it becomes obvious, that there is a BUG: When doing a FaceTime call from my home to some friend who by chance is using the same private address range as the office (i.e. 10.0.1.0) than the iPad/iPhone is emitting every some minutes an ip packet directed to my friends iPad using its private ip address (10.0.1.xx). My home router however does forward this packet to the office using the VPN tunnel. This is not a theoretical construct, it is really happening.That is why I wrote the following passage in on of my previous posts:

Furthermore private network addresses are not unique. It's possible that two iOS devices are both in a network e.g. 192.168.1.0 - a very common private network - but that these are different networks!

Again: The question is not how to disable alarm mails at the office.

I continue to claim that there is a bug in the FaceTime / Continuity protocol. Two iOS devices must not try to communicate with each other using private ip addresses when they are not sure that they are in the same network. Maybe that it is not a bug but a feature because there is no simple way to determine, if two devices are in the same subnet unless they can talk to each other and thus iOS simply is trying to reach the other device and accepting that this may lead to weird ip traffic. I would be glad if someone from the Apple stuff could enlighten this discussion a bit.

Reply

Answer 9

turingtest2

Level 10

278,351 points

Feb 12, 2015 1:41 AM in response to Hagen-1

Apple don't generally monitor these forums for technical issues or engage in discussions here. You can report problems via the relevant feedback form, e.g. iPhone Feedback, iPad Feedback, or sign up for a free Apple Developer Connection account and make use of Apple Bug Reporter. They don't generally talk back, but they do claim to read everything. In rare cases they may reach out to you for further information.

tt2

Reply

Answer 10

Feb 12, 2015 7:43 AM in response to Hagen-1

You can disagree all you want, It will not change the truth. a VPN Brdiges two networks so that the remote one can use the local one as if it where physically there. From Wikipedia's page on VPNs:

A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network.[1] A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryptions.

VPN Definition

If you are facetime-ing to a friend not on the same VPN or network, Facetime uses a connection Via Apple servers to establish a connection to the other user. Since there is no way for your iPad to know the internal network IP address of the other user. And which would also be pointless, since the only thing available to the outside world is the routers public IP. What IP they have in their network is irrelevant to Facetime. Facetime connects through Apple Servers, not directly by IP.

However, an iPhone and a iPad using Continuity are connected through iCloud. Since Apple has not published any specs on how continuity works, I can only surmise from what I see on my devices that when they are connected to the same network both devices are aware of each other. How I cannot say. but they are, otherwise Continuity would not work.

Hagen-1 wrote:

I continue to claim that there is a bug in the FaceTime / Continuity protocol. Two iOS devices must not try to communicate with each other using private ip addresses when they are not sure that they are in the same network.

That is where your theory falls. The VPN means they are for traffic purposes on the same network. i.e they can communicate with each other. Expecting them not to when the VPN is active is wrong.

Again the fact that it is being flagged as an attack is the issue. Everything else is working as designed. What you expect should happen simply does not match what actually should happen and is happening.

Just like your computer can use office resources from home through the VPN, so can the iPad. Since the resource its looking for is your iPhone it sends packets to it.

This is not a bug.

You can send Apple feedback if you wish. But there's nothing at all wrong with what is happening.,

If you do not want this traffic, then disconnect the iPad from your Wifi network before leaving, or turn off the VPN on your home network so there is no access to the office network.

Reply

Answer 11

Feb 12, 2015 7:46 AM in response to Hagen-1

To add to Phil's analysis, while the Continuity protocol has not been published, I suspect it uses Bonjour, not IP addresses directly. Normally a router will block Bonjour outside of its local network. Perhaps your VPN is not blocking it.

Reply

Answer 12

Hagen-1 Author

Level 1

23 points

Feb 12, 2015 8:06 AM in response to Lawrence Finch

Thank you guys for all your comments!

I will sent a report to apple as suggested by turingtest2.

@Phil0124: A bridge works on OSI layer 2 - a VPN however is based layer 3 (in general). That requires routing information that the iOS devices don't have. And yes: As you only can see the router's official ip address in the internet, it makes no sense to send a packet to a remote device using its local ip address rather than the router's ip address! You are writing many correct facts but drawing the wrong conclusions - just my 2 cents.

Reply

Answer 13

Feb 12, 2015 9:45 AM in response to Hagen-1

I am drawing conclusions supported by the facts, how are they wrong then?

You are trying to make incorrect assumptions be correct because of how you think a VPN should work.

Just MY 2 cents.

Reply

Answer 14

Hagen-1 Author

Level 1

23 points

Feb 13, 2015 12:36 AM in response to Phil0124

Let us focus on the following situation:

There are three subnets: HOME (192.168.1.0/24), OFFICE (10.0.1.0/24) and FRIEND (10.0.1.0/24)
There is a VPN connection between HOME and OFFICE
Now a FaceTime call between an iOS device at HOME is established to a second iOS device at the location of FRIEND
During the FaceTime call ip packets from the iOS device at location HOME can be observed that are directed to the iOS device at location FRIEND using its local ip address (e.g. 10.0.1.5)
The router at HOME will forward this packet to OFFICE where it obviously does not belong to

In my opinion, the iOS devices break the following rule: Not to use local ip addresses as destination addresses when talking to each other. They rather should use the WAN ip address of the opposite site's router. Of course they also could be virtually connected by one of apple's icloud servers.

Can you tell me, what is wrong with my configuration or my conclusion?

Reply