From owner-freebsd-net@FreeBSD.ORG Wed May 2 11:38:31 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E6A9106564A for ; Wed, 2 May 2012 11:38:31 +0000 (UTC) (envelope-from annonymouse@gmail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id D60B68FC08 for ; Wed, 2 May 2012 11:38:30 +0000 (UTC) Received: by vcmm1 with SMTP id m1so418202vcm.13 for ; Wed, 02 May 2012 04:38:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type:content-transfer-encoding; bh=/K7QL6SK2dntURQ36DA8XXOI6298+RXRhxreG5YsJRg=; b=HRmefbzzy2ixoSw0OVUpBhL0F3eR67hvFDvNUJkzaFXd6QXhFwkYjsiAX6i8THnbC3 LJV2GGsOinkP46o3Yxxbp9o9uM8OJcnxeZ7XXabUcGhRV4vxMPLDaun3LOsaAV2RMy1l PLfZKNX8YdIC0sALcSr2gM63ZG7PjDrXHPT96YbuOrfCXl0f4jBzT1IOx6pWEEcGN1JF jzAyvjzTcUnDGPh+VROF1xa+Wvk3Mp6xlcde/+RjQ/WXvY3vXPGU+d8Os9tm6wnOIa6L /CTOpaQT5BHRyx1jYCuvP1BgtbposAxasuCRPla63kDDZldr1gWGKSI3/UkWWiYfMj0T 7EkA== MIME-Version: 1.0 Received: by 10.52.19.193 with SMTP id h1mr4119035vde.18.1335958710037; Wed, 02 May 2012 04:38:30 -0700 (PDT) Sender: annonymouse@gmail.com Received: by 10.220.204.143 with HTTP; Wed, 2 May 2012 04:38:29 -0700 (PDT) Date: Wed, 2 May 2012 12:38:29 +0100 X-Google-Sender-Auth: tPTbY2R2A8Nj3OQnTOsDE87m0_Q Message-ID: From: Alex Yong To: freebsd-net@freebsd.org Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Subject: [patch] Strong ES model in IPv6 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2012 11:38:31 -0000 Hi all, I have some questions regarding accomplishing the strong model for ingress IPv6 traffic with FreeBSD, as implemented in ip6_input.c. Does it make sense to have a strong ES model in IPv6 *at all*? I=92ve yet to find any wording in the RFC=92s referring to this =96 although nothing explicitly disallowing it. Given that addresses that are globally scoped are =93global=94 I could understand why a stack might make the choice to not do this, as the address may be considered attached to the =93system=94 rather than the interface. However for separating networks at a basic level this isn=92t appropriate. I realise that pF is an option in this case, but arguably it=92s an option in ipv4 too =96 so why default ipv4 to strong model? Also of note, the KAME code in NetBSD reference=92s a sysctl =93net.inet6.ip6.sourcecheck=94 which is never used, but seems to indicate an intention to implement something like this. Was the intention to implement the strong model for ingress IPv6 traffic with this switch? This patch attempts to implement the strong model using the same sysctl as in NetBSD, note that multicast listeners already handle which interface they arrive at. There=92s some thought that probably needs to go into using it in combination with ip_forwarding and other sysctls, but it wasn=92t too difficult given the interface address list is already traversed upfront before the routeing table lookup. Does anybody know why this is, was something else intended here? I=92ve hammered my code with isic6/tcpsic6/udpsic6 for a few hours with and without listening sockets and nothing caught fire. I haven=92t tried using TAHI yet although given my rig it=92s a bit more complicated to setup. Any guidance is greatly appreciated. -- This patch is on release 8.2, although if necessary I can port it up if this is unacceptably old now :). It implements the =93net.inet6.ip6.sourcecheck=94 sysctl which when set to 1 will drop packets if they=92re not for addresses configured on the interface on which they arrived. This is intended to implement RFC 1122=92s =93Strong end system model=94 for IPv6. -- diff -r 8b21c9a98cbd src/sys/netinet6/ip6_input.c --- a/src/sys/netinet6/ip6_input.c Mon Apr 02 14:15:19 2012 +0100 +++ b/src/sys/netinet6/ip6_input.c Tue May 01 14:32:30 2012 +0100 @@ -80,6 +80,7 @@ #include #include #include +#include #include #include @@ -125,6 +126,11 @@ .nh_policy =3D NETISR_POLICY_FLOW, }; +/* Take this variable name from NetBSD, but exposing it as a sysctl */ +static unsigned ip6_sourcecheck =3D 0; SYSCTL_DECL(_net_inet6); +SYSCTL_UINT(_net_inet6, OID_AUTO, sourcecheck, CTLFLAG_RW, +&ip6_sourcecheck, 0, "Check packets destination address is configured +on the incoming interface RFC1122"); + VNET_DECLARE(struct callout, in6_tmpaddrtimer_ch); #define V_in6_tmpaddrtimer_ch VNET(in6_tmpaddrtimer_ch) @@ -599,6 +605,10 @@ if (lle !=3D NULL) LLE_RUNLOCK(lle); + /*XXX AlexY if ip6_sourcecheck is set we immediately assume it's ba= d*/ + if (0 !=3D ip6_sourcecheck) + goto bad; + dst =3D &rin6.ro_dst; dst->sin6_len =3D sizeof(struct sockaddr_in6); dst->sin6_family =3D AF_INET6;