Re: stf, security and NAT traversal

[Pavel Cahyna <pavel%netbsd.org@localhost>]

On Sun, Jan 20, 2008 at 03:45:43PM +0100, Rodolphe De Saint Leger wrote:
> On 1/20/08, Pavel Cahyna <pavel%netbsd.org@localhost> wrote:
> >
> > Can you please describe in more detail what it is supposed to do and how
> > the network setup looks like? What are the problems you are trying to
> > solve?
> >
> > Pavel
> >
> 
> Actually, the stf interface does not check for misc cases which should
> not come under nomal conditions. I've added some tests to ensure that
> packets which try to abuse the 6to4 encapsulation gets dropped before
> getting into the network. I tried to apply the security draft on 6to4.
> 
> my isp gives me a box which handles the ipv4 nat. This box don't know
> about 6to4 encapsulation but you can configure a 'dmz host'. This host
> will receive any incoming packet wich does not belong to an existing
> nat session. let's say that my internal network is 192.168.7.0/24 and
> the nat box has the internal address 192.168.7.1, the external address
> 82.67.230.130, and my 'dmz' netbsd has the address 192.168.7.2.
> 
> Actually you can make stf working by using a bimap rule, an alias on
> lo0 and a trick in the routing table.
> 
> so with the actual stf inplementation this gives:
> ifconfig stf0 create
> ifconfig stf0 inet6 2002:5243:e682::1 prefixlen 16
> ifconfig lo0 82.67.230.130 alias
> /sbin/route delete 82.67.230.130
> /sbin/route add 82.67.230.130 192.168.7.2
> 
> with the following bimap rule:
> bimap vlan1 82.67.230.130/32 -> 192.168.7.2/32 ipv6

I am using that successfully for a long time, and I don't even need to
change the routing table. Why is it needed for you?

Pavel