[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: stf, security and NAT traversal
On Sun, Jan 20, 2008 at 03:45:43PM +0100, Rodolphe De Saint Leger wrote:
> On 1/20/08, Pavel Cahyna <pavel%netbsd.org@localhost> wrote:
> > Can you please describe in more detail what it is supposed to do and how
> > the network setup looks like? What are the problems you are trying to
> > solve?
> > Pavel
> Actually, the stf interface does not check for misc cases which should
> not come under nomal conditions. I've added some tests to ensure that
> packets which try to abuse the 6to4 encapsulation gets dropped before
> getting into the network. I tried to apply the security draft on 6to4.
> my isp gives me a box which handles the ipv4 nat. This box don't know
> about 6to4 encapsulation but you can configure a 'dmz host'. This host
> will receive any incoming packet wich does not belong to an existing
> nat session. let's say that my internal network is 192.168.7.0/24 and
> the nat box has the internal address 192.168.7.1, the external address
> 188.8.131.52, and my 'dmz' netbsd has the address 192.168.7.2.
> Actually you can make stf working by using a bimap rule, an alias on
> lo0 and a trick in the routing table.
> so with the actual stf inplementation this gives:
> ifconfig stf0 create
> ifconfig stf0 inet6 2002:5243:e682::1 prefixlen 16
> ifconfig lo0 184.108.40.206 alias
> /sbin/route delete 220.127.116.11
> /sbin/route add 18.104.22.168 192.168.7.2
> with the following bimap rule:
> bimap vlan1 22.214.171.124/32 -> 192.168.7.2/32 ipv6
I am using that successfully for a long time, and I don't even need to
change the routing table. Why is it needed for you?
Main Index |
Thread Index |