Re: stf, security and NAT traversal

To: tech-net%netbsd.org@localhost
Subject: Re: stf, security and NAT traversal
From: christos%astron.com@localhost (Christos Zoulas)
Date: Sat, 19 Jan 2008 21:23:13 +0000 (UTC)

In article 
<14c7875e0801191248u440e922bx37498734f1fd25a8%mail.gmail.com@localhost>,
Rodolphe De Saint Leger <rdesaintleger%gmail.com@localhost> wrote:
>Hi,
>
>I've worked on a path for the stf interface to add more security and
>nat traversal fonctionnality.
>
>the new security features should have no visible impact, to activate
>nat traversal, configure your future 6to4 router as the dmz of your
>ipv4 network, and put the bit 49 of your prefix to 1.
>
>for example:
>ifconfig stf0 inet6 2002:5243:e682:c000::1 prefixlen 16
>
>it will activate this 6to4 prefix with nat traversal. To emit a
>packet, stf will search for the route to 82.67.230.130 and it will
>take the outgoing local address as the ipv4 6to4 source.
>
>Here is the link to the patch (and full file),
>http://shumira.roroland.net/20080119/patch.diff
>http://shumira.roroland.net/20080119/if_stf.c
>
>Also, here is a little changelog. I've made tests to ensure that
>current behavior is not impacted, could anyone review my code ?
>
>I've made the following changes in the code :
>- The bit 49 of the stf alias activates nat traversal for this alias
>(no impact on routed packets)
>- if nat is activated, the ipv4 address used is the source address
>used to contact the external nat address,
>- sanity check for ipv4 header is now done only in encap_check(),
>- stf_getsrcifa4() returns a interface address which either match an
>ipv4 incoming header, a ipv4 incoming address matching the 6to4
>prefix, or the default outgoing ipv4 address,
>- stf_output() now checks for invalid 6to4 packets (in case of
>misconfiguration, bad packets will be dropped before going on wire),
>- ingress filter has been added to ipv6 packets (it is disabled when needed).
>
>Bad packets cases for output are the following :
>- sending a 6to4 without any 6to4 address,
>- sending a packet to our prefix (happen if we have no route to a
>subnetwork in our 6to4 prefix),
>- sending a packet to multicast/link local/compat/mapped address
>
>Bad packets cases for input are the following :
>- receiving a packet without any 6to4 address,
>- receiving a packet that we can't route to any native interface (avoid 
>bounce),
>- receiving a 6to4 packet with a 6to4 src not matching ipv4 src
>
>And sorry for my bad English.
>
>Regards,
>Rodolphe

Can you send-pr this so that it does not get lost.

thanks,
christos

References:
- stf, security and NAT traversal
  - From: Rodolphe De Saint Leger

Prev by Date: stf, security and NAT traversal
Next by Date: Re: stf, security and NAT traversal
Previous by Thread: stf, security and NAT traversal
Next by Thread: Re: stf, security and NAT traversal
Indexes:

Home | Main Index | Thread Index | Old Index