Re: Support for 240/4 and 0/8 addresses in NetBSD

To: Seth David Schoen <schoen%loyalty.org@localhost>
Subject: Re: Support for 240/4 and 0/8 addresses in NetBSD
From: Taylor R Campbell <campbell+netbsd-tech-net%mumble.net@localhost>
Date: Sat, 17 Jun 2023 10:15:06 +0000

The attached patch addresses the 240/4 question by:

1. removing the hard-coded logic in the kernel to refuse forwarding of
   packets to 240/4 addresses, and

2. creating a route on network start that blackholes it, like we
   already do for various IPv6 address ranges like 2001:db8::/32.

(Perhaps we should do the same for 192.0.2.0/24, 198.51.100.0/24, and
203.0.113.0/24 and anything else relevant I might have missed in
<https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml>.)

I think it's best to address the 240/4, 0/8, and 127/8 questions
separately, because they pose very different types of risks: both 0/8
and 127/8 have had semantics imbued on them by standards for years,
some of which are security-critical like applications relying on 127/8
packets never leaving the host.  In contrast, 240/4 has just been
reserved, from what I understand, and nobody has ever come up with a
special-purpose use for it.

No need for new sysctl knobs or extra complexity in the kernel -- if
the operator wants to change it to experiment with the allocation,
they can just delete the route in /etc/rc.local.

Objections?

Follow-Ups:
- Re: Support for 240/4 and 0/8 addresses in NetBSD
  - From: Seth David Schoen
- Re: Support for 240/4 and 0/8 addresses in NetBSD
  - From: Taylor R Campbell

References:
- Support for 240/4 and 0/8 addresses in NetBSD
  - From: Seth David Schoen

Prev by Date: Re: Support for 240/4 and 0/8 addresses in NetBSD
Next by Date: Re: Support for 240/4 and 0/8 addresses in NetBSD
Previous by Thread: Re: Support for 240/4 and 0/8 addresses in NetBSD
Next by Thread: Re: Support for 240/4 and 0/8 addresses in NetBSD
Indexes:

Home | Main Index | Thread Index | Old Index