Bug 19178
| Summary: | add reject routes and comments in /etc/rc.network6 | ||
|---|---|---|---|
| Product: | Base System | Reporter: | koji <koji> |
| Component: | conf | Assignee: | Hajimu UMEMOTO <ume> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 4.0-STABLE | ||
| Hardware: | Any | ||
| OS: | Any | ||
Responsible Changed From-To: freebsd-bugs->ume Over to our IPv6 maintainer. State Changed From-To: open->feedback Reject routes had been merged partly from KAME around 2nd KAME merge. Please refer 4.1-RELEASE's rc.network6. Some was not merged with concern. Leave unmerged which you mentiond are: - route add -inet6 fec0:: -prefixlen 10 ::1 -reject Rejecting site-local address may cause problem for the people who use or wish to use site-local. - route add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject route add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject route add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject route add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject Compatible address is rejected at all. So, these routes are bogus. I think rc.network6 shouldn't be an example. So, if there are so many people who wish to have above settings, these should be an option in rc.conf. State Changed From-To: feedback->closed No response from originator for a long time. |
We had better add rejects routes and comments. We can see them from NetBSD, OpenBSD, and KAME. How-To-Repeat: % diff -ur rc.network6.orig rc.network6 --- rc.network6.orig Sun Jun 11 01:25:28 2000 +++ rc.network6 Sun Jun 11 01:50:09 2000 @@ -41,8 +41,39 @@ # just to make sure ifconfig lo0 up - # disallow "internal" addresses to appear on the wire + # disallow site-local unicast dest without outgoing scope + # identifiers. + # If you configure site-locals without scope id (it is + # permissible config for routers that are not on scope + # boundary), you may want to comment the following one out. + # + route add -inet6 fec0:: -prefixlen 10 ::1 -reject + + # disallow "internal" addresses to appear on the wire. + # route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject + + # disallow packets to malicious IPv4 compatible prefix + # + route add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject + route add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject + route add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject + route add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject + + # Completely disallow packets to IPv4 compatible prefix. + # This may conflict with RFC1933 under following circumstances: + # (1) An IPv6-only KAME node tries to originate packets to IPv4 + # comatible destination. The KAME node has no IPv4 + # compatible support. Under RFC1933, it should transmit + # native IPv6 packets toward IPv4 compatible destination, + # hoping it would reach a router that forwards the packet + # toward auto-tunnel interface. + # (2) An IPv6-only node originates a packet to IPv4 compatible + # destination. A KAME node is acting as an IPv6 router, and + # asked to forward it. + # Due to rare use of IPv4 compatible address, and security + # issues with it, we disable it by default. + # route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject case ${ipv6_gateway_enable} in @@ -271,9 +302,10 @@ ifconfig stf0 inet6 2002:${ipv4_in_hexformat}:${stf_interface_ipv6_slaid:-0}:${stf_interface_ipv6_ifid} \ prefixlen ${stf_prefixlen} # disallow packets to malicious 6to4 prefix - route add -inet6 2002:7f00:0000:: -prefixlen 24 ::1 -reject - route add -inet6 2002:0000:0000:: -prefixlen 48 ::1 -reject - route add -inet6 2002:ffff:ffff:: -prefixlen 48 ::1 -reject + route add -inet6 2002:e000:: -prefixlen 20 ::1 -reject + route add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject + route add -inet6 2002:0000:: -prefixlen 24 ::1 -reject + route add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject ;; esac }