tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: stf, security and NAT traversal

On Sun, Jan 20, 2008 at 03:45:43PM +0100, Rodolphe De Saint Leger wrote:
> On 1/20/08, Pavel Cahyna <> wrote:
> >
> > Can you please describe in more detail what it is supposed to do and how
> > the network setup looks like? What are the problems you are trying to
> > solve?
> >
> > Pavel
> >
> Actually, the stf interface does not check for misc cases which should
> not come under nomal conditions. I've added some tests to ensure that
> packets which try to abuse the 6to4 encapsulation gets dropped before
> getting into the network. I tried to apply the security draft on 6to4.
> my isp gives me a box which handles the ipv4 nat. This box don't know
> about 6to4 encapsulation but you can configure a 'dmz host'. This host
> will receive any incoming packet wich does not belong to an existing
> nat session. let's say that my internal network is and
> the nat box has the internal address, the external address
>, and my 'dmz' netbsd has the address
> Actually you can make stf working by using a bimap rule, an alias on
> lo0 and a trick in the routing table.
> so with the actual stf inplementation this gives:
> ifconfig stf0 create
> ifconfig stf0 inet6 2002:5243:e682::1 prefixlen 16
> ifconfig lo0 alias
> /sbin/route delete
> /sbin/route add
> with the following bimap rule:
> bimap vlan1 -> ipv6

I am using that successfully for a long time, and I don't even need to
change the routing table. Why is it needed for you?


Home | Main Index | Thread Index | Old Index