On Tue, Jul 12, 2016 at 11:46:43AM +0200, Martin Pieuchot wrote:
> On 12/07/16(Tue) 11:33, Claudio Jeker wrote:
> > On Tue, Jul 12, 2016 at 11:28:47AM +0200, Martin Pieuchot wrote:
> > > By default we have a route to reject compatible addresses:
> > >
> > > ::/96 ::1 UGRS 0 0 32768 8 lo0
> > >
> > > But the corresponding check in ip6_input() is still commented because it
> > > is "stronger than RFC1933". However since 1996 this RFC has been
> > > obsoleted twice and the newer one, RFC4213 says:
> > >
> > > The following changes have been performed since RFC 2893:
> > >
> > > - Removed automatic tunneling and use of IPv4-compatible
> > > addresses.
> > >
> > > - [...]
> > >
> > >
> > > Then later it explicitly documents:
> > >
> > > After the decapsulation, the node MUST silently discard a packet with
> > > an invalid IPv6 source address. The list of invalid source addresses
> > > SHOULD include at least:
> > >
> > > - all the IPv4-compatible IPv6 addresses [RFC3513] (::/96),
> > > excluding the unspecified address for Duplicate Address Detection
> > > (::/128)
> > >
> > > - [...]
> > >
> > >
> > > Do I understand correctly that it is time to enable this check?
> >
> > Would you then remove the ::/96 reject route from the routing table?
>
> I think this should be a second discussion. We also have a route for
> IPv4-mapped IPv6 addresses & have a similar check enabled in ip6_input():
>
> ::ffff:0.0.0.0/96 ::1 UGRS 0 0 32768 8 lo0
>
> Now routes also prevent any user from sending packets to such destinations.
> Note that we don't have similar checks in ip6_output().
Yes, this what was I was wondering. The route covers the output path and
forwarding path. So if we want to remove them we need to add an equivalent
check in ip6_output().
> > Or is this more a belt and suspender kind of thing?
>
> It is.
OK claudio@
PS: Not sure if ip6stat.ip6s_badscope is the right error counter but I think
it is the best we have and it is also used for the IPv4 mapped addrs.
> > > Index: netinet6/ip6_input.c
> > > ===================================================================
> > > RCS file: /cvs/src/sys/netinet6/ip6_input.c,v
> > > retrieving revision 1.162
> > > diff -u -p -r1.162 ip6_input.c
> > > --- netinet6/ip6_input.c 6 Jul 2016 15:50:00 -0000 1.162
> > > +++ netinet6/ip6_input.c 12 Jul 2016 09:17:04 -0000
> > > @@ -299,20 +299,17 @@ ip6_input(struct mbuf *m)
> > > ip6stat.ip6s_badscope++;
> > > goto bad;
> > > }
> > > -#if 0
> > > +
> > > /*
> > > * Reject packets with IPv4 compatible addresses (auto tunnel).
> > > *
> > > - * The code forbids auto tunnel relay case in RFC1933 (the check is
> > > - * stronger than RFC1933). We may want to re-enable it if mech-xx
> > > - * is revised to forbid relaying case.
> > > + * The code forbids automatic tunneling as per RFC4213.
> > > */
> > > if (IN6_IS_ADDR_V4COMPAT(&ip6->ip6_src) ||
> > > IN6_IS_ADDR_V4COMPAT(&ip6->ip6_dst)) {
> > > ip6stat.ip6s_badscope++;
> > > goto bad;
> > > }
> > > -#endif
> > >
> > > /*
> > > * If the packet has been received on a loopback interface it
> > >
> >
> > --
> > :wq Claudio
> >
>
--
:wq Claudio
