From nobody@FreeBSD.ORG  Sat Jun 10 10:43:42 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 6CCBA37BC45; Sat, 10 Jun 2000 10:43:42 -0700 (PDT)
Message-Id: <20000610174342.6CCBA37BC45@hub.freebsd.org>
Date: Sat, 10 Jun 2000 10:43:42 -0700 (PDT)
From: koji@jp.above.net
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: add reject routes and comments in /etc/rc.network6
X-Send-Pr-Version: www-1.0

>Number:         19178
>Category:       conf
>Synopsis:       add reject routes and comments in /etc/rc.network6
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ume
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          wish
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 10 10:50:03 PDT 2000
>Closed-Date:    Tue Mar 13 04:59:04 PST 2001
>Last-Modified:  Tue Mar 13 05:00:40 PST 2001
>Originator:     Koji Kondo
>Release:        FreeBSD 4.0-STABLE
>Organization:
AboveNet Japan
>Environment:
FreeBSD aluminum.jp.above.net 4.0-STABLE FreeBSD 4.0-STABLE #0: Fri Jun  9 13:25:01 JST 2000     koji@aluminum.jp.above.net:/usr/src/sys/compile/ALUMINUM  i386

>Description:
We had better add rejects routes and comments.
We can see them from NetBSD, OpenBSD, and KAME.

>How-To-Repeat:
% diff -ur rc.network6.orig rc.network6
--- rc.network6.orig    Sun Jun 11 01:25:28 2000
+++ rc.network6 Sun Jun 11 01:50:09 2000
@@ -41,8 +41,39 @@
        # just to make sure
        ifconfig lo0 up
 
-       # disallow "internal" addresses to appear on the wire
+       # disallow site-local unicast dest without outgoing scope
+       # identifiers.
+       # If you configure site-locals without scope id (it is
+       # permissible config for routers that are not on scope
+       # boundary), you may want to comment the following one out.
+       #
+       route add -inet6 fec0:: -prefixlen 10 ::1 -reject
+
+       # disallow "internal" addresses to appear on the wire.
+       #
        route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject
+
+       # disallow packets to malicious IPv4 compatible prefix
+       #
+       route add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject
+       route add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject
+       route add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject
+       route add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject
+
+       # Completely disallow packets to IPv4 compatible prefix.
+       # This may conflict with RFC1933 under following circumstances:
+       # (1) An IPv6-only KAME node tries to originate packets to IPv4
+       #     comatible destination.  The KAME node has no IPv4
+       #     compatible support.  Under RFC1933, it should transmit
+       #     native IPv6 packets toward IPv4 compatible destination,
+       #     hoping it would reach a router that forwards the packet
+       #     toward auto-tunnel interface.
+       # (2) An IPv6-only node originates a packet to IPv4 compatible
+       #     destination.  A KAME node is acting as an IPv6 router, and
+       #     asked to forward it.
+       # Due to rare use of IPv4 compatible address, and security
+       # issues with it, we disable it by default.
+       #
        route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
 
        case ${ipv6_gateway_enable} in
@@ -271,9 +302,10 @@
                ifconfig stf0 inet6 2002:${ipv4_in_hexformat}:${stf_interface_ipv6_slaid:-0}:${stf_interface_ipv6_ifid} \
                        prefixlen ${stf_prefixlen}
                # disallow packets to malicious 6to4 prefix
-               route add -inet6 2002:7f00:0000:: -prefixlen 24 ::1 -reject
-               route add -inet6 2002:0000:0000:: -prefixlen 48 ::1 -reject
-               route add -inet6 2002:ffff:ffff:: -prefixlen 48 ::1 -reject
+               route add -inet6 2002:e000:: -prefixlen 20 ::1 -reject
+               route add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject
+               route add -inet6 2002:0000:: -prefixlen 24 ::1 -reject
+               route add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject
                ;;
        esac
 }

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ume 
Responsible-Changed-By: johan 
Responsible-Changed-When: Fri Aug 11 15:16:32 PDT 2000 
Responsible-Changed-Why:  
Over to our IPv6 maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19178 
State-Changed-From-To: open->feedback 
State-Changed-By: ume 
State-Changed-When: Sat Aug 12 09:41:14 PDT 2000 
State-Changed-Why:  
Reject routes had been merged partly from KAME around 2nd KAME merge. 
Please refer 4.1-RELEASE's rc.network6. 
Some was not merged with concern.  Leave unmerged which you mentiond 
are: 

- route add -inet6 fec0:: -prefixlen 10 ::1 -reject 

Rejecting site-local address may cause problem for 
the people who use or wish to use site-local. 

- route add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject 
route add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject 
route add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject 
route add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject 

Compatible address is rejected at all.  So, these routes are 
bogus. 

I think rc.network6 shouldn't be an example.  So, if there are so 
many people who wish to have above settings, these should be an option 
in rc.conf. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19178 
State-Changed-From-To: feedback->closed 
State-Changed-By: ume 
State-Changed-When: Tue Mar 13 04:59:04 PST 2001 
State-Changed-Why:  
No response from originator for a long time. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19178 
>Unformatted:
