tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: stf, security and NAT traversal

On 1/20/08, Pavel Cahyna <> wrote:
> Can you please describe in more detail what it is supposed to do and how
> the network setup looks like? What are the problems you are trying to
> solve?
> Pavel

Actually, the stf interface does not check for misc cases which should
not come under nomal conditions. I've added some tests to ensure that
packets which try to abuse the 6to4 encapsulation gets dropped before
getting into the network. I tried to apply the security draft on 6to4.

my isp gives me a box which handles the ipv4 nat. This box don't know
about 6to4 encapsulation but you can configure a 'dmz host'. This host
will receive any incoming packet wich does not belong to an existing
nat session. let's say that my internal network is and
the nat box has the internal address, the external address, and my 'dmz' netbsd has the address

Actually you can make stf working by using a bimap rule, an alias on
lo0 and a trick in the routing table.

so with the actual stf inplementation this gives:
ifconfig stf0 create
ifconfig stf0 inet6 2002:5243:e682::1 prefixlen 16
ifconfig lo0 alias
/sbin/route delete
/sbin/route add

with the following bimap rule:
bimap vlan1 -> ipv6

The patch adds also the ability for stf to emit/receive packets
directly on a internal interface, instead of using other kernels
subsystems (ipnat). With the patch applied, you just do:
ifconfig stf0 create
ifconfig stf0 inet6 2002:5243:e682:c000::1 prefixlen 16

and the interface will activate a piece of code which controls the
internal address of your host. you won't have to touch your routing
table, you won't have to declare a new alias and you won't have to
activate ipnat.

int main(int c,char**v){int b,e=(c>>24)+6,g=c==1?1:e>>4;
*d){if((e&=15)>7)putchar((b>>(e-=8))&255); d++;main(((e|
32)<<24)|(b&4095),&d);}return g<2&&c>2?main(--c,v):1;}

Home | Main Index | Thread Index | Old Index