Re: stf, security and NAT traversal

To: tech-net%netbsd.org@localhost
Subject: Re: stf, security and NAT traversal
From: "Rodolphe De Saint Leger" <rdesaintleger%gmail.com@localhost>
Date: Sun, 20 Jan 2008 15:45:43 +0100

On 1/20/08, Pavel Cahyna <pavel%netbsd.org@localhost> wrote:
>
> Can you please describe in more detail what it is supposed to do and how
> the network setup looks like? What are the problems you are trying to
> solve?
>
> Pavel
>

Actually, the stf interface does not check for misc cases which should
not come under nomal conditions. I've added some tests to ensure that
packets which try to abuse the 6to4 encapsulation gets dropped before
getting into the network. I tried to apply the security draft on 6to4.

my isp gives me a box which handles the ipv4 nat. This box don't know
about 6to4 encapsulation but you can configure a 'dmz host'. This host
will receive any incoming packet wich does not belong to an existing
nat session. let's say that my internal network is 192.168.7.0/24 and
the nat box has the internal address 192.168.7.1, the external address
82.67.230.130, and my 'dmz' netbsd has the address 192.168.7.2.

Actually you can make stf working by using a bimap rule, an alias on
lo0 and a trick in the routing table.

so with the actual stf inplementation this gives:
ifconfig stf0 create
ifconfig stf0 inet6 2002:5243:e682::1 prefixlen 16
ifconfig lo0 82.67.230.130 alias
/sbin/route delete 82.67.230.130
/sbin/route add 82.67.230.130 192.168.7.2

with the following bimap rule:
bimap vlan1 82.67.230.130/32 -> 192.168.7.2/32 ipv6

The patch adds also the ability for stf to emit/receive packets
directly on a internal interface, instead of using other kernels
subsystems (ipnat). With the patch applied, you just do:
ifconfig stf0 create
ifconfig stf0 inet6 2002:5243:e682:c000::1 prefixlen 16

and the interface will activate a piece of code which controls the
internal address of your host. you won't have to touch your routing
table, you won't have to declare a new alias and you won't have to
activate ipnat.

-- 
int main(int c,char**v){int b,e=(c>>24)+6,g=c==1?1:e>>4;
char*d=c==1?"d3JpdGUgaW4gQw==":g==2?*v:v[c-1];b=c<<6|(*d
+(*d>96?-71:*d>58?-65:*d>47?4:*d>46?16:19));if(*d==61?0:
*d){if((e&=15)>7)putchar((b>>(e-=8))&255); d++;main(((e|
32)<<24)|(b&4095),&d);}return g<2&&c>2?main(--c,v):1;}

Follow-Ups:
- Re: stf, security and NAT traversal
  - From: Pavel Cahyna

References:
- stf, security and NAT traversal
  - From: Rodolphe De Saint Leger
- Re: stf, security and NAT traversal
  - From: Pavel Cahyna

Prev by Date: Re: stf, security and NAT traversal
Next by Date: Re: stf, security and NAT traversal
Previous by Thread: Re: stf, security and NAT traversal
Next by Thread: Re: stf, security and NAT traversal
Indexes:

Home | Main Index | Thread Index | Old Index