Martin Pieuchot <[email protected]> writes:
> By default we have a route to reject compatible addresses:
>
> ::/96 ::1 UGRS 0 0 32768 8 lo0
>
> But the corresponding check in ip6_input() is still commented because it
> is "stronger than RFC1933". However since 1996 this RFC has been
> obsoleted twice and the newer one, RFC4213 says:
>
> The following changes have been performed since RFC 2893:
>
> - Removed automatic tunneling and use of IPv4-compatible
> addresses.
>
> - [...]
>
>
> Then later it explicitly documents:
>
> After the decapsulation, the node MUST silently discard a packet with
> an invalid IPv6 source address. The list of invalid source addresses
> SHOULD include at least:
>
> - all the IPv4-compatible IPv6 addresses [RFC3513] (::/96),
> excluding the unspecified address for Duplicate Address Detection
> (::/128)
>
> - [...]
>
>
> Do I understand correctly that it is time to enable this check?
I think so, ok jca@.
> Index: netinet6/ip6_input.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet6/ip6_input.c,v
> retrieving revision 1.162
> diff -u -p -r1.162 ip6_input.c
> --- netinet6/ip6_input.c 6 Jul 2016 15:50:00 -0000 1.162
> +++ netinet6/ip6_input.c 12 Jul 2016 09:17:04 -0000
> @@ -299,20 +299,17 @@ ip6_input(struct mbuf *m)
> ip6stat.ip6s_badscope++;
> goto bad;
> }
> -#if 0
> +
> /*
> * Reject packets with IPv4 compatible addresses (auto tunnel).
> *
> - * The code forbids auto tunnel relay case in RFC1933 (the check is
> - * stronger than RFC1933). We may want to re-enable it if mech-xx
> - * is revised to forbid relaying case.
> + * The code forbids automatic tunneling as per RFC4213.
> */
> if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
> IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
> ip6stat.ip6s_badscope++;
> goto bad;
> }
> -#endif
>
> /*
> * If the packet has been received on a loopback interface it
>
--
jca | PGP: 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
