[src/trunk]: src/etc/rc.d correct reject route installations for IPv6. impro...

[itojun <itojun%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/cc0e75fb2004
branches:  trunk
changeset: 483763:cc0e75fb2004
user:      itojun <itojun%NetBSD.org@localhost>
date:      Fri Mar 17 17:41:01 2000 +0000

description:
correct reject route installations for IPv6.  improve comments.

diffstat:

 etc/rc.d/network |  41 +++++++++++++++++++++++++++++++++++------
 1 files changed, 35 insertions(+), 6 deletions(-)

diffs (69 lines):

diff -r f0258604f752 -r cc0e75fb2004 etc/rc.d/network
--- a/etc/rc.d/network  Fri Mar 17 17:35:20 2000 +0000
+++ b/etc/rc.d/network  Fri Mar 17 17:41:01 2000 +0000
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: network,v 1.3 2000/03/12 04:21:26 itojun Exp $
+# $NetBSD: network,v 1.4 2000/03/17 17:41:01 itojun Exp $
 #
 
 # PROVIDE: network
@@ -186,23 +186,52 @@
        if ifconfig lo0 inet6 >/dev/null 2>&1; then
                # We have IPv6 support in kernel.
 
-               # disallow scoped unicast dest without outgoing scope
+               # disallow link-local unicast dest without outgoing scope
                # identifiers.
                #
                route add -inet6 fe80:: -prefixlen 10 ::1 -reject
-               route add -inet6 fc80:: -prefixlen 10 ::1 -reject
+
+               # disallow site-local unicast dest without outgoing scope
+               # identifiers.
+               # If you configure site-locals without scope id (it is
+               # permissible config for routers that are not on scope
+               # boundary), you may want to comment the following one out.
+               #
+               route add -inet6 fec0:: -prefixlen 10 ::1 -reject
 
                # disallow "internal" addresses to appear on the wire.
                #
                route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject
-               route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
+
+               # disallow packets to malicious IPv4 compatible prefix
+               #
+               route add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject
+               route add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject
+               route add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject
+               route add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject
 
                # disallow packets to malicious 6to4 prefix
                #
                route add -inet6 2002:e000:: -prefixlen 20 ::1 -reject
                route add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject
-               route add -inet6 2002:0000:0000:: -prefixlen 48 ::1 -reject
-               route add -inet6 2002:ffff:ffff:: -prefixlen 48 ::1 -reject
+               route add -inet6 2002:0000:: -prefixlen 24 ::1 -reject
+               route add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject
+
+               # Completely disallow packets to IPv4 compatible prefix.
+               # This may conflict with RFC1933 under following circumstances:
+               # (1) An IPv6-only KAME node tries to originate packets to IPv4
+               #     comatible destination.  The KAME node has no IPv4
+               #     compatible support.  Under RFC1933, it should transmit
+               #     native IPv6 packets toward IPv4 compatible destination,
+               #     hoping it would reach a router that forwards the packet
+               #     toward auto-tunnel interface.
+               # (2) An IPv6-only node originates a packet to IPv4 compatible
+               #     destination.  A KAME node is acting as an IPv6 router, and
+               #     asked to forward it.
+               # Due to rare use of IPv4 compatible address, and security
+               # issues with it, we disable it by default.
+               #
+               route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
 
                sysctl -w net.inet6.ip6.forwarding=0 >/dev/null
                sysctl -w net.inet6.ip6.accept_rtadv=0 >/dev/null