stf, security and NAT traversal

To: tech-net%netbsd.org@localhost
Subject: stf, security and NAT traversal
From: "Rodolphe De Saint Leger" <rdesaintleger%gmail.com@localhost>
Date: Sat, 19 Jan 2008 21:48:10 +0100

Hi,

I've worked on a path for the stf interface to add more security and
nat traversal fonctionnality.

the new security features should have no visible impact, to activate
nat traversal, configure your future 6to4 router as the dmz of your
ipv4 network, and put the bit 49 of your prefix to 1.

for example:
ifconfig stf0 inet6 2002:5243:e682:c000::1 prefixlen 16

it will activate this 6to4 prefix with nat traversal. To emit a
packet, stf will search for the route to 82.67.230.130 and it will
take the outgoing local address as the ipv4 6to4 source.

Here is the link to the patch (and full file),
http://shumira.roroland.net/20080119/patch.diff
http://shumira.roroland.net/20080119/if_stf.c

Also, here is a little changelog. I've made tests to ensure that
current behavior is not impacted, could anyone review my code ?

I've made the following changes in the code :
- The bit 49 of the stf alias activates nat traversal for this alias
(no impact on routed packets)
- if nat is activated, the ipv4 address used is the source address
used to contact the external nat address,
- sanity check for ipv4 header is now done only in encap_check(),
- stf_getsrcifa4() returns a interface address which either match an
ipv4 incoming header, a ipv4 incoming address matching the 6to4
prefix, or the default outgoing ipv4 address,
- stf_output() now checks for invalid 6to4 packets (in case of
misconfiguration, bad packets will be dropped before going on wire),
- ingress filter has been added to ipv6 packets (it is disabled when needed).

Bad packets cases for output are the following :
- sending a 6to4 without any 6to4 address,
- sending a packet to our prefix (happen if we have no route to a
subnetwork in our 6to4 prefix),
- sending a packet to multicast/link local/compat/mapped address

Bad packets cases for input are the following :
- receiving a packet without any 6to4 address,
- receiving a packet that we can't route to any native interface (avoid bounce),
- receiving a 6to4 packet with a 6to4 src not matching ipv4 src

And sorry for my bad English.

Regards,
Rodolphe

-- 
int main(int c,char**v){int b,e=(c>>24)+6,g=c==1?1:e>>4;
char*d=c==1?"d3JpdGUgaW4gQw==":g==2?*v:v[c-1];b=c<<6|(*d
+(*d>96?-71:*d>58?-65:*d>47?4:*d>46?16:19));if(*d==61?0:
*d){if((e&=15)>7)putchar((b>>(e-=8))&255); d++;main(((e|
32)<<24)|(b&4095),&d);}return g<2&&c>2?main(--c,v):1;}

Follow-Ups:
- Re: stf, security and NAT traversal
  - From: Ignatios Souvatzis
- Re: stf, security and NAT traversal
  - From: David Young
- Re: stf, security and NAT traversal
  - From: Pavel Cahyna
- Re: stf, security and NAT traversal
  - From: Christos Zoulas

Prev by Date: Re: MAC address issue
Next by Date: Re: stf, security and NAT traversal
Previous by Thread: Socket options KPI
Next by Thread: Re: stf, security and NAT traversal
Indexes:

Home | Main Index | Thread Index | Old Index