From owner-freebsd-hackers@FreeBSD.ORG  Sun Aug  5 17:23:10 2007
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 24B1A16A417
	for <freebsd-hackers@freebsd.org>; Sun,  5 Aug 2007 17:23:10 +0000 (UTC)
	(envelope-from ume@mahoroba.org)
Received: from ameno.mahoroba.org (ent.mahoroba.org
	[IPv6:2001:2f0:104:8010::1])
	by mx1.freebsd.org (Postfix) with ESMTP id E5E5F13C459
	for <freebsd-hackers@freebsd.org>; Sun,  5 Aug 2007 17:23:09 +0000 (UTC)
	(envelope-from ume@mahoroba.org)
Received: from kasuga.mahoroba.org
	(IDENT:E/JDwhEHDNhZyT2tqkSiKSG717L6XvLXX1KQ6/WSRXwJhWJ5BbQEfLwXIYu1KFIM@kasuga.mahoroba.org
	[IPv6:2001:2f0:104:8010:20b:97ff:fe2e:b521])
	(user=ume mech=CRAM-MD5 bits=0)
	by ameno.mahoroba.org (8.13.8/8.13.8) with ESMTP/inet6 id
	l75HMp6N096190
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Mon, 6 Aug 2007 02:22:59 +0900 (JST) (envelope-from ume@mahoroba.org)
Date: Mon, 06 Aug 2007 02:22:50 +0900
Message-ID: <yge643thp5h.wl%ume@mahoroba.org>
From: Hajimu UMEMOTO <ume@freebsd.org>
To: Lapo Luchini <lapo@lapo.it>
In-Reply-To: <f8unqh$ebk$1@sea.gmane.org>
References: <4232198F.5030705@kfu.com> <yge3bv16a9e.wl%ume@mahoroba.org>
	<f8unqh$ebk$1@sea.gmane.org>
User-Agent: xcite1.57> Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka)
	FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.7 Emacs/22.1
	(i386-pc-freebsd) MULE/5.0 (SAKAKI)
X-Operating-System: FreeBSD 6.2-STABLE
X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc
X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5  BF5F 04E9 F086 BF90 71FE
Organization: Internet Mutual Aid Society, YOKOHAMA
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by
	milter-greylist-3.0 (ameno.mahoroba.org
	[IPv6:2001:2f0:104:8010::1]); Mon, 06 Aug 2007 02:22:59 +0900 (JST)
X-Virus-Scanned: by amavisd-new
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,
	DKIM_POLICY_SIGNSOME,DK_POLICY_SIGNSOME autolearn=ham version=3.2.1
X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on ameno.mahoroba.org
Cc: freebsd-hackers@freebsd.org
Subject: Re: 6to4, stf and shoebox NAT routers
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Aug 2007 17:23:10 -0000

Hi,

>>>>> On Fri, 03 Aug 2007 10:08:48 +0200
>>>>> Lapo Luchini <lapo@lapo.it> said:

lapo> Hajimu UMEMOTO wrote:
> I posted my proposed patch to current@ for review in the past.  But,
> no one responded.  Could you test this?  This is for 6-CURRENT at Feb 1.
> If it doesn't apply cleanly, please let me know.

lapo> It applied cleanly to 6.2-STABLE and seems to work perfectly... outbound
lapo> at least.

lapo> I have a box at home called cyberx which has static IPv4 but is NATted
lapo> (and is thus using your patch).
lapo> The other test box is a server called motoko which has static IPv4
lapo> assigned to one of his interfaces directly (no patches here).

lapo> The wl500g router correctly forwards the protocol 41 packets to cyberx.

lapo> Pinging from cyberx to motoko (and using tcpdump on both) I can see that:
lapo> a. cyberx if producing correct IPv4 packets that are from his local
lapo> NATted address to the real motoko address, but containing a IPv6 packet
lapo> that contains the '2002:'-encoding of both real IPv4 addresses
lapo> b. motoko is receiving the echo request correctly
lapo> c. motoko is sending the echo reply correctly
lapo> d. cyberx is receiving the echo reply encapsulated in IPv4 packets correctly
lapo> e. cyberx's stf0 interface IS NOT RECEIVING his IPv6 echo reply
lapo> f. the 'ping' command thinks that all packets are lost

lapo> Does you patch address incoming packets too?

Yes, it should address incoming packets.

lapo> Can I do some ipfw magic to convince stf to receive also incoming
lapo> packets with a mismatched IPv4-IPv6 address?

No, you shouldn't need any ipfw magic.  However, the NAT box have to
forward the incomming tunneling packets to your stf box correctly.  I
guess you do so.

How do you configure your stf interface?  You need to assign a 6to4
address which is derived from the IPv4 global address assigned to the
NAT box.
And you need to set net.link.stf.no_addr4check to 1.
Is it okay?

sincerely,

--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org  ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/