From owner-freebsd-bugs Sat Jun 10 10:50: 8 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8553337BC94 for ; Sat, 10 Jun 2000 10:50:03 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id KAA22918; Sat, 10 Jun 2000 10:50:03 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 6CCBA37BC45; Sat, 10 Jun 2000 10:43:42 -0700 (PDT) Message-Id: <20000610174342.6CCBA37BC45@hub.freebsd.org> Date: Sat, 10 Jun 2000 10:43:42 -0700 (PDT) From: koji@jp.above.net To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: conf/19178: add reject routes and comments in /etc/rc.network6 Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 19178 >Category: conf >Synopsis: add reject routes and comments in /etc/rc.network6 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: wish >Submitter-Id: current-users >Arrival-Date: Sat Jun 10 10:50:03 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Koji Kondo >Release: FreeBSD 4.0-STABLE >Organization: AboveNet Japan >Environment: FreeBSD aluminum.jp.above.net 4.0-STABLE FreeBSD 4.0-STABLE #0: Fri Jun 9 13:25:01 JST 2000 koji@aluminum.jp.above.net:/usr/src/sys/compile/ALUMINUM i386 >Description: We had better add rejects routes and comments. We can see them from NetBSD, OpenBSD, and KAME. >How-To-Repeat: % diff -ur rc.network6.orig rc.network6 --- rc.network6.orig Sun Jun 11 01:25:28 2000 +++ rc.network6 Sun Jun 11 01:50:09 2000 @@ -41,8 +41,39 @@ # just to make sure ifconfig lo0 up - # disallow "internal" addresses to appear on the wire + # disallow site-local unicast dest without outgoing scope + # identifiers. + # If you configure site-locals without scope id (it is + # permissible config for routers that are not on scope + # boundary), you may want to comment the following one out. + # + route add -inet6 fec0:: -prefixlen 10 ::1 -reject + + # disallow "internal" addresses to appear on the wire. + # route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject + + # disallow packets to malicious IPv4 compatible prefix + # + route add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject + route add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject + route add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject + route add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject + + # Completely disallow packets to IPv4 compatible prefix. + # This may conflict with RFC1933 under following circumstances: + # (1) An IPv6-only KAME node tries to originate packets to IPv4 + # comatible destination. The KAME node has no IPv4 + # compatible support. Under RFC1933, it should transmit + # native IPv6 packets toward IPv4 compatible destination, + # hoping it would reach a router that forwards the packet + # toward auto-tunnel interface. + # (2) An IPv6-only node originates a packet to IPv4 compatible + # destination. A KAME node is acting as an IPv6 router, and + # asked to forward it. + # Due to rare use of IPv4 compatible address, and security + # issues with it, we disable it by default. + # route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject case ${ipv6_gateway_enable} in @@ -271,9 +302,10 @@ ifconfig stf0 inet6 2002:${ipv4_in_hexformat}:${stf_interface_ipv6_slaid:-0}:${stf_interface_ipv6_ifid} \ prefixlen ${stf_prefixlen} # disallow packets to malicious 6to4 prefix - route add -inet6 2002:7f00:0000:: -prefixlen 24 ::1 -reject - route add -inet6 2002:0000:0000:: -prefixlen 48 ::1 -reject - route add -inet6 2002:ffff:ffff:: -prefixlen 48 ::1 -reject + route add -inet6 2002:e000:: -prefixlen 20 ::1 -reject + route add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject + route add -inet6 2002:0000:: -prefixlen 24 ::1 -reject + route add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject ;; esac } >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message