tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

stf, security and NAT traversal


I've worked on a path for the stf interface to add more security and
nat traversal fonctionnality.

the new security features should have no visible impact, to activate
nat traversal, configure your future 6to4 router as the dmz of your
ipv4 network, and put the bit 49 of your prefix to 1.

for example:
ifconfig stf0 inet6 2002:5243:e682:c000::1 prefixlen 16

it will activate this 6to4 prefix with nat traversal. To emit a
packet, stf will search for the route to and it will
take the outgoing local address as the ipv4 6to4 source.

Here is the link to the patch (and full file),

Also, here is a little changelog. I've made tests to ensure that
current behavior is not impacted, could anyone review my code ?

I've made the following changes in the code :
- The bit 49 of the stf alias activates nat traversal for this alias
(no impact on routed packets)
- if nat is activated, the ipv4 address used is the source address
used to contact the external nat address,
- sanity check for ipv4 header is now done only in encap_check(),
- stf_getsrcifa4() returns a interface address which either match an
ipv4 incoming header, a ipv4 incoming address matching the 6to4
prefix, or the default outgoing ipv4 address,
- stf_output() now checks for invalid 6to4 packets (in case of
misconfiguration, bad packets will be dropped before going on wire),
- ingress filter has been added to ipv6 packets (it is disabled when needed).

Bad packets cases for output are the following :
- sending a 6to4 without any 6to4 address,
- sending a packet to our prefix (happen if we have no route to a
subnetwork in our 6to4 prefix),
- sending a packet to multicast/link local/compat/mapped address

Bad packets cases for input are the following :
- receiving a packet without any 6to4 address,
- receiving a packet that we can't route to any native interface (avoid bounce),
- receiving a 6to4 packet with a 6to4 src not matching ipv4 src

And sorry for my bad English.


int main(int c,char**v){int b,e=(c>>24)+6,g=c==1?1:e>>4;
*d){if((e&=15)>7)putchar((b>>(e-=8))&255); d++;main(((e|
32)<<24)|(b&4095),&d);}return g<2&&c>2?main(--c,v):1;}

Home | Main Index | Thread Index | Old Index