tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: stf, security and NAT traversal

In article 
Rodolphe De Saint Leger <> wrote:
>I've worked on a path for the stf interface to add more security and
>nat traversal fonctionnality.
>the new security features should have no visible impact, to activate
>nat traversal, configure your future 6to4 router as the dmz of your
>ipv4 network, and put the bit 49 of your prefix to 1.
>for example:
>ifconfig stf0 inet6 2002:5243:e682:c000::1 prefixlen 16
>it will activate this 6to4 prefix with nat traversal. To emit a
>packet, stf will search for the route to and it will
>take the outgoing local address as the ipv4 6to4 source.
>Here is the link to the patch (and full file),
>Also, here is a little changelog. I've made tests to ensure that
>current behavior is not impacted, could anyone review my code ?
>I've made the following changes in the code :
>- The bit 49 of the stf alias activates nat traversal for this alias
>(no impact on routed packets)
>- if nat is activated, the ipv4 address used is the source address
>used to contact the external nat address,
>- sanity check for ipv4 header is now done only in encap_check(),
>- stf_getsrcifa4() returns a interface address which either match an
>ipv4 incoming header, a ipv4 incoming address matching the 6to4
>prefix, or the default outgoing ipv4 address,
>- stf_output() now checks for invalid 6to4 packets (in case of
>misconfiguration, bad packets will be dropped before going on wire),
>- ingress filter has been added to ipv6 packets (it is disabled when needed).
>Bad packets cases for output are the following :
>- sending a 6to4 without any 6to4 address,
>- sending a packet to our prefix (happen if we have no route to a
>subnetwork in our 6to4 prefix),
>- sending a packet to multicast/link local/compat/mapped address
>Bad packets cases for input are the following :
>- receiving a packet without any 6to4 address,
>- receiving a packet that we can't route to any native interface (avoid 
>- receiving a 6to4 packet with a 6to4 src not matching ipv4 src
>And sorry for my bad English.

Can you send-pr this so that it does not get lost.


Home | Main Index | Thread Index | Old Index