netbsd-bugs: kern/22792: gif IPv6-over-IPv4 tunnel diverts packets to other interfaces

Subject: kern/22792: gif IPv6-over-IPv4 tunnel diverts packets to other interfaces
To: None <gnats-bugs@gnats.netbsd.org>
From: None <mlelstv@serpens.de>
List: netbsd-bugs
Date: 09/14/2003 20:23:12

>Number:         22792
>Category:       kern
>Synopsis:       A gif IPv6-over-IPv4 tunnel diverts packets to other interfaces
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 14 18:24:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Michael van Elst
>Release:        NetBSD 1.6.1_STABLE
>Organization:
-- 
                                Michael van Elst
Internet: mlelstv@serpens.de
                                "A potential Snark may lurk in every tree."
>Environment:
	
	
System: NetBSD fud 1.6.1_STABLE NetBSD 1.6.1_STABLE (FUD) #1: Thu Sep 11 17:55:07 MEST 2003     src@fud:/d/0/src/sys/arch/i386/compile/FUD i386
Architecture: i386
Machine: i386
>Description:
fud is a i386 machine running 1.6.1_STABLE.

It is running an encrypted tunnel to a remote network using vtund (from
pkgsrc) on the tun0 interface:

fud# ifconfig tun0
tun0: flags=51<UP,POINTOPOINT,RUNNING> mtu 1450
        inet 10.29.5.1 -> 10.29.5.2 netmask 0xffffffff

The remote network has IPv6 connectivity and a gif interface is used
to tunnel a /48 prefix to the local net:

fud# ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 10.29.5.1 --> 10.29.5.2
        inet6 2001:650:403:77::1 -> 2001:650:403:77::2 prefixlen 126
        inet6 fe80::205:5dff:fede:99b5%gif0 -> :: prefixlen 64 scopeid 0xe

The gif tunnel is created in /etc/ifconfig.gif0

fud# cat /etc/ifconfig.gif0
create
inet6 2001:650:403:77::1 2001:650:403:77::2 prefixlen 126
tunnel 10.29.5.1 10.29.5.2
up
!route add -inet6 default 2001:650:403:77::2

Whenever the tun0 interface cycles through down/up state (caused by
vtund reconnecting to the remote network) the gif0 tunnel fails permanently.

In that state the IP-Filter running on the uplink (pppoe0) interface
starts logging obscure packets:

Sep 14 16:39:39 fud ipmon[132]: 16:39:39.473800 pppoe0 @200:1 b fud-tun[10.29.5.
1] -> serpens.local[10.29.5.2] PR ipv6 len 20 (100) OUT 

which corresponds to a ping6 to www.kame.net. Apparently the encapsulated ipv6
packet is no longer sent through tun0 but through pppoe0.

>How-To-Repeat:
See above.

>Fix:
You can completely remove the gif interface, recreate it and then
reload the IP filters.

ifconfig gif0 destroy
ifconfig gif0 create
ifconfig gif0 inet6 2001:650:403:77::1 2001:650:403:77::2 prefixlen 126
ifconfig gif0 tunnel 10.29.5.1 10.29.5.2
ifconfig gif0 up
route add -inet6 default 2001:650:403:77::2
/etc/rc.d/ipfilter reload


>Release-Note:
>Audit-Trail:
>Unformatted: