Re: stf, security and NAT traversal

Thread: Re: stf, security and NAT traversal

Search this list only Search all lists
Re: stf, security and NAT traversal
	2008-01-19 15:23:13
In article <14c7875e0801191248u440e922bx37498734f1fd25a8mail.gmail.com>, Rodolphe De Saint Leger <rdesaintlegergmail.com> wrote: >Hi, > >I've worked on a path for the stf interface to add more security and >nat traversal fonctionnality. > >the new security features should have no visible impact, to activate >nat traversal, configure your future 6to4 router as the dmz of your >ipv4 network, and put the bit 49 of your prefix to 1. > >for example: >ifconfig stf0 inet6 2002:5243:e682:c000::1 prefixlen 16 > >it will activate this 6to4 prefix with nat traversal. To emit a >packet, stf will search for the route to 82.67.230.130 and it will >take the outgoing local address as the ipv4 6to4 source. > >Here is the link to the patch (and full file), >http: //shumira.roroland.net/20080119/patch.diff >http:// shumira.roroland.net/20080119/if_stf.c > >Also, here is a little changelog. I've made tests to ensure that >current behavior is not impacted, could anyone review my code ? > >I've made the following changes in the code : >- The bit 49 of the stf alias activates nat traversal for this alias >(no impact on routed packets) >- if nat is activated, the ipv4 address used is the source address >used to contact the external nat address, >- sanity check for ipv4 header is now done only in encap_check(), >- stf_getsrcifa4() returns a interface address which either match an >ipv4 incoming header, a ipv4 incoming address matching the 6to4 >prefix, or the default outgoing ipv4 address, >- stf_output() now checks for invalid 6to4 packets (in case of >misconfiguration, bad packets will be dropped before going on wire), >- ingress filter has been added to ipv6 packets (it is disabled when needed). > >Bad packets cases for output are the following : >- sending a 6to4 without any 6to4 address, >- sending a packet to our prefix (happen if we have no route to a >subnetwork in our 6to4 prefix), >- sending a packet to multicast/link local/compat/mapped address > >Bad packets cases for input are the following : >- receiving a packet without any 6to4 address, >- receiving a packet that we can't route to any native interface (avoid bounce), >- receiving a 6to4 packet with a 6to4 src not matching ipv4 src > >And sorry for my bad English. > >Regards, >Rodolphe Can you send-pr this so that it does not get lost. thanks, christos

[1]

about | contact Other archives ( Real Estate discussion Medical topics )