Date: Wed, 2 May 2012 12:38:29 +0100 From: Alex Yong <annonymouse+freebsd@gmail.com> To: freebsd-net@freebsd.org Subject: [patch] Strong ES model in IPv6 Message-ID: <CAJW_4zDzstMswcKty-hWGYtkM2q_2HChn3FNyfBNokZe6rnKRA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi all,
I have some questions regarding accomplishing the strong model for
ingress IPv6 traffic with FreeBSD, as implemented in ip6_input.c.
Does it make sense to have a strong ES model in IPv6 *at all*? I=92ve
yet to find any wording in the RFC=92s referring to this =96 although
nothing explicitly disallowing it. Given that addresses that are
globally scoped are =93global=94 I could understand why a stack might make
the choice to not do this, as the address may be considered attached
to the =93system=94 rather than the interface. However for separating
networks at a basic level this isn=92t appropriate. I realise that pF
is an option in this case, but arguably it=92s an option in ipv4 too =96
so why default ipv4 to strong model?
Also of note, the KAME code in NetBSD reference=92s a sysctl
=93net.inet6.ip6.sourcecheck=94 which is never used, but seems to indicate
an intention to implement something like this. Was the intention to
implement the strong model for ingress IPv6 traffic with this switch?
This patch attempts to implement the strong model using the same
sysctl as in NetBSD, note that multicast listeners already handle
which interface they arrive at. There=92s some thought that probably
needs to go into using it in combination with ip_forwarding and other
sysctls, but it wasn=92t too difficult given the interface address list
is already traversed upfront before the routeing table lookup. Does
anybody know why this is, was something else intended here?
I=92ve hammered my code with isic6/tcpsic6/udpsic6 for a few hours with
and without listening sockets and nothing caught fire. I haven=92t
tried using TAHI yet although given my rig it=92s a bit more complicated
to setup.
Any guidance is greatly appreciated.
--
This patch is on release 8.2, although if necessary I can port it up
if this is unacceptably old now :). It implements the
=93net.inet6.ip6.sourcecheck=94 sysctl which when set to 1 will drop
packets if they=92re not for addresses configured on the interface on
which they arrived. This is intended to implement RFC 1122=92s =93Strong
end system model=94 for IPv6.
--
diff -r 8b21c9a98cbd src/sys/netinet6/ip6_input.c
--- a/src/sys/netinet6/ip6_input.c Mon Apr 02 14:15:19 2012 +0100
+++ b/src/sys/netinet6/ip6_input.c Tue May 01 14:32:30 2012 +0100
@@ -80,6 +80,7 @@
#include <sys/time.h>
#include <sys/kernel.h>
#include <sys/syslog.h>
+#include <sys/sysctl.h>
#include <net/if.h>
#include <net/if_types.h>
@@ -125,6 +126,11 @@
.nh_policy =3D NETISR_POLICY_FLOW, };
+/* Take this variable name from NetBSD, but exposing it as a sysctl */
+static unsigned ip6_sourcecheck =3D 0; SYSCTL_DECL(_net_inet6);
+SYSCTL_UINT(_net_inet6, OID_AUTO, sourcecheck, CTLFLAG_RW,
+&ip6_sourcecheck, 0, "Check packets destination address is configured
+on the incoming interface RFC1122");
+
VNET_DECLARE(struct callout, in6_tmpaddrtimer_ch);
#define V_in6_tmpaddrtimer_ch VNET(in6_tmpaddrtimer_ch)
@@ -599,6 +605,10 @@
if (lle !=3D NULL)
LLE_RUNLOCK(lle);
+ /*XXX AlexY if ip6_sourcecheck is set we immediately assume it's ba=
d*/
+ if (0 !=3D ip6_sourcecheck)
+ goto bad;
+
dst =3D &rin6.ro_dst;
dst->sin6_len =3D sizeof(struct sockaddr_in6);
dst->sin6_family =3D AF_INET6;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJW_4zDzstMswcKty-hWGYtkM2q_2HChn3FNyfBNokZe6rnKRA>