On 02/11/16(Wed) 10:19, Martin Pieuchot wrote:
> On 25/10/16(Tue) 22:13, Markus Friedl wrote:
> >
> > > Am 25.10.2016 um 17:13 schrieb Mike Belopuhov <[email protected]>:
> > >
> > >
> > > There are apparently some discussions in infomational RFCs regarding
> > > this issue. For instance https://tools.ietf.org/html/rfc3756
> > > <https://tools.ietf.org/html/rfc3756> states:
> > >
> > > More specifically, the currently used key agreement protocol, IKE,
> > > suffers from a chicken-and-egg problem [8]: one needs an IP address
> > > to run IKE, IKE is needed to establish IPsec SAs, and IPsec SAs are
> > > required to configure an IP address.
> > >
> > > Which goes one step further: how to protect all ND in general, but is
> > > still applicable in our situation. There were attempts to protect ND
> > > in alternative way, e.g. SEND (https://tools.ietf.org/html/rfc3971
> > > <https://tools.ietf.org/html/rfc3971>).
> > > FreeBSD has picked up on it and has had a SoC project which seems to
> > > be integrated right now:
> > >
> > > https://wiki.freebsd.org/SOC2009AnaKukec
> > > <https://wiki.freebsd.org/SOC2009AnaKukec>
> > > https://www.freebsd.org/cgi/man.cgi?query=send&sektion=4
> > > <https://www.freebsd.org/cgi/man.cgi?query=send&sektion=4>
> > >
> > > Would it be possible for us to disable the check and always set saddr6
> > > to NULL for now?
> >
> > Fine w/me.
> >
> > Or we could check if the packet has been IPsec encapsulated
> > and set saddr6 to NULL in this case.
>
> Is this fixed? Anything we're still waiting for?
So something like that? FWIW I'm happy with fewer in6ifa_ifpwithaddr().
Index: netinet6/nd6_nbr.c
===================================================================
RCS file: /cvs/src/sys/netinet6/nd6_nbr.c,v
retrieving revision 1.110
diff -u -p -r1.110 nd6_nbr.c
--- netinet6/nd6_nbr.c 23 Aug 2016 11:03:10 -0000 1.110
+++ netinet6/nd6_nbr.c 4 Nov 2016 09:02:47 -0000
@@ -433,54 +433,23 @@ nd6_ns_output(struct ifnet *ifp, struct
}
ip6->ip6_dst = dst_sa.sin6_addr;
if (!dad) {
- /*
- * RFC2461 7.2.2:
- * "If the source address of the packet prompting the
- * solicitation is the same as one of the addresses assigned
- * to the outgoing interface, that address SHOULD be placed
- * in the IP Source Address of the outgoing solicitation.
- * Otherwise, any one of the addresses assigned to the
- * interface should be used."
- *
- * We use the source address for the prompting packet
- * (saddr6), if:
- * - saddr6 is given from the caller (by giving "ln"), and
- * - saddr6 belongs to the outgoing interface.
- * Otherwise, we perform the source address selection as usual.
- */
- struct ip6_hdr *hip6; /* hold ip6 */
- struct in6_addr *saddr6;
+ /* Perform source address selection. */
+ struct rtentry *rt;
- if (ln && ln->ln_hold) {
- hip6 = mtod(ln->ln_hold, struct ip6_hdr *);
- /* XXX pullup? */
- if (sizeof(*hip6) < ln->ln_hold->m_len)
- saddr6 = &hip6->ip6_src;
- else
- saddr6 = NULL;
- } else
- saddr6 = NULL;
- if (saddr6 && in6ifa_ifpwithaddr(ifp, saddr6))
- src_sa.sin6_addr = *saddr6;
- else {
- struct rtentry *rt;
+ rt = rtalloc(sin6tosa(&dst_sa), RT_RESOLVE,
+ m->m_pkthdr.ph_rtableid);
+ if (!rtisvalid(rt)) {
+ char addr[INET6_ADDRSTRLEN];
- rt = rtalloc(sin6tosa(&dst_sa), RT_RESOLVE,
- m->m_pkthdr.ph_rtableid);
- if (!rtisvalid(rt)) {
- char addr[INET6_ADDRSTRLEN];
-
- nd6log((LOG_DEBUG,
- "%s: source can't be determined: dst=%s\n",
- __func__, inet_ntop(AF_INET6,
- &dst_sa.sin6_addr, addr, sizeof(addr))));
- rtfree(rt);
- goto bad;
- }
- src_sa.sin6_addr =
- ifatoia6(rt->rt_ifa)->ia_addr.sin6_addr;
+ nd6log((LOG_DEBUG,
+ "%s: source can't be determined: dst=%s\n",
+ __func__, inet_ntop(AF_INET6,
+ &dst_sa.sin6_addr, addr, sizeof(addr))));
rtfree(rt);
+ goto bad;
}
+ src_sa.sin6_addr = ifatoia6(rt->rt_ifa)->ia_addr.sin6_addr;
+ rtfree(rt);
} else {
/*
* Source address for DAD packet must always be IPv6
