Date: Sat, 10 Jun 2000 10:43:42 -0700 (PDT) From: koji@jp.above.net To: freebsd-gnats-submit@FreeBSD.org Subject: conf/19178: add reject routes and comments in /etc/rc.network6 Message-ID: <20000610174342.6CCBA37BC45@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 19178
>Category: conf
>Synopsis: add reject routes and comments in /etc/rc.network6
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: wish
>Submitter-Id: current-users
>Arrival-Date: Sat Jun 10 10:50:03 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Koji Kondo
>Release: FreeBSD 4.0-STABLE
>Organization:
AboveNet Japan
>Environment:
FreeBSD aluminum.jp.above.net 4.0-STABLE FreeBSD 4.0-STABLE #0: Fri Jun 9 13:25:01 JST 2000 koji@aluminum.jp.above.net:/usr/src/sys/compile/ALUMINUM i386
>Description:
We had better add rejects routes and comments.
We can see them from NetBSD, OpenBSD, and KAME.
>How-To-Repeat:
% diff -ur rc.network6.orig rc.network6
--- rc.network6.orig Sun Jun 11 01:25:28 2000
+++ rc.network6 Sun Jun 11 01:50:09 2000
@@ -41,8 +41,39 @@
# just to make sure
ifconfig lo0 up
- # disallow "internal" addresses to appear on the wire
+ # disallow site-local unicast dest without outgoing scope
+ # identifiers.
+ # If you configure site-locals without scope id (it is
+ # permissible config for routers that are not on scope
+ # boundary), you may want to comment the following one out.
+ #
+ route add -inet6 fec0:: -prefixlen 10 ::1 -reject
+
+ # disallow "internal" addresses to appear on the wire.
+ #
route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject
+
+ # disallow packets to malicious IPv4 compatible prefix
+ #
+ route add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject
+ route add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject
+ route add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject
+ route add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject
+
+ # Completely disallow packets to IPv4 compatible prefix.
+ # This may conflict with RFC1933 under following circumstances:
+ # (1) An IPv6-only KAME node tries to originate packets to IPv4
+ # comatible destination. The KAME node has no IPv4
+ # compatible support. Under RFC1933, it should transmit
+ # native IPv6 packets toward IPv4 compatible destination,
+ # hoping it would reach a router that forwards the packet
+ # toward auto-tunnel interface.
+ # (2) An IPv6-only node originates a packet to IPv4 compatible
+ # destination. A KAME node is acting as an IPv6 router, and
+ # asked to forward it.
+ # Due to rare use of IPv4 compatible address, and security
+ # issues with it, we disable it by default.
+ #
route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
case ${ipv6_gateway_enable} in
@@ -271,9 +302,10 @@
ifconfig stf0 inet6 2002:${ipv4_in_hexformat}:${stf_interface_ipv6_slaid:-0}:${stf_interface_ipv6_ifid} \
prefixlen ${stf_prefixlen}
# disallow packets to malicious 6to4 prefix
- route add -inet6 2002:7f00:0000:: -prefixlen 24 ::1 -reject
- route add -inet6 2002:0000:0000:: -prefixlen 48 ::1 -reject
- route add -inet6 2002:ffff:ffff:: -prefixlen 48 ::1 -reject
+ route add -inet6 2002:e000:: -prefixlen 20 ::1 -reject
+ route add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject
+ route add -inet6 2002:0000:: -prefixlen 24 ::1 -reject
+ route add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject
;;
esac
}
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000610174342.6CCBA37BC45>