On Tue, Jul 12, 2016 at 11:28:47AM +0200, Martin Pieuchot wrote: > By default we have a route to reject compatible addresses: > > ::/96 ::1 UGRS 0 0 32768 8 lo0 > > But the corresponding check in ip6_input() is still commented because it > is "stronger than RFC1933". However since 1996 this RFC has been > obsoleted twice and the newer one, RFC4213 says: > > The following changes have been performed since RFC 2893: > > - Removed automatic tunneling and use of IPv4-compatible > addresses. > > - [...] > > > Then later it explicitly documents: > > After the decapsulation, the node MUST silently discard a packet with > an invalid IPv6 source address. The list of invalid source addresses > SHOULD include at least: > > - all the IPv4-compatible IPv6 addresses [RFC3513] (::/96), > excluding the unspecified address for Duplicate Address Detection > (::/128) > > - [...] > > > Do I understand correctly that it is time to enable this check?
Would you then remove the ::/96 reject route from the routing table? Or is this more a belt and suspender kind of thing? > Index: netinet6/ip6_input.c > =================================================================== > RCS file: /cvs/src/sys/netinet6/ip6_input.c,v > retrieving revision 1.162 > diff -u -p -r1.162 ip6_input.c > --- netinet6/ip6_input.c 6 Jul 2016 15:50:00 -0000 1.162 > +++ netinet6/ip6_input.c 12 Jul 2016 09:17:04 -0000 > @@ -299,20 +299,17 @@ ip6_input(struct mbuf *m) > ip6stat.ip6s_badscope++; > goto bad; > } > -#if 0 > + > /* > * Reject packets with IPv4 compatible addresses (auto tunnel). > * > - * The code forbids auto tunnel relay case in RFC1933 (the check is > - * stronger than RFC1933). We may want to re-enable it if mech-xx > - * is revised to forbid relaying case. > + * The code forbids automatic tunneling as per RFC4213. > */ > if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) || > IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) { > ip6stat.ip6s_badscope++; > goto bad; > } > -#endif > > /* > * If the packet has been received on a loopback interface it > -- :wq Claudio