From marka@isc.org  Thu Apr 28 06:57:54 2011
Return-Path: <marka@isc.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BB44F1065676
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Apr 2011 06:57:54 +0000 (UTC)
	(envelope-from marka@isc.org)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B2E68FC1B
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Apr 2011 06:57:54 +0000 (UTC)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK))
	by mx.pao1.isc.org (Postfix) with ESMTPS id 4BE1DC9427
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Apr 2011 06:57:47 +0000 (UTC)
	(envelope-from marka@isc.org)
Received: from sex.dv.isc.org (sex.dv.isc.org [IPv6:2001:470:1f00:820:218:f3ff:feba:9a37])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by bikeshed.isc.org (Postfix) with ESMTPSA id 03FE1216C22
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Apr 2011 06:57:46 +0000 (UTC)
	(envelope-from marka@isc.org)
Received: from sex.dv.isc.org (localhost [127.0.0.1])
	by sex.dv.isc.org (8.14.4/8.14.4) with ESMTP id p3S6tMQO013441
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Apr 2011 16:55:22 +1000 (EST)
	(envelope-from marka@sex.dv.isc.org)
Received: (from marka@localhost)
	by sex.dv.isc.org (8.14.4/8.14.4/Submit) id p3S6tLmL013440;
	Thu, 28 Apr 2011 16:55:21 +1000 (EST)
	(envelope-from marka)
Message-Id: <201104280655.p3S6tLmL013440@sex.dv.isc.org>
Date: Thu, 28 Apr 2011 16:55:21 +1000 (EST)
From: Mark Andrews <marka@isc.org>
Reply-To: Mark Andrews <marka@isc.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: stf output-only documentation gives bad configuration advice
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         156689
>Category:       docs
>Synopsis:       stf(4) output-only documentation gives bad configuration advice
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 28 07:00:21 UTC 2011
>Closed-Date:    
>Last-Modified:  Tue May 03 06:13:53 UTC 2011
>Originator:     Mark Andrews
>Release:        FreeBSD 8.2-STABLE i386
>Organization:
ISC
>Environment:
System: FreeBSD sex.dv.isc.org 8.2-STABLE FreeBSD 8.2-STABLE #10: Sat Feb 26 18:02:12 EST 2011 marka@sex.dv.isc.org:/usr/obj/usr/src/sys/DEBUG i386

>Description:

The stf documentation suggests the following configuration.  This
will result in traffic originating from the 6to4 address for which
reply traffic will not be accepted.

     # ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
     # ifconfig stf0 inet6 2002:8504:0506:0000:a00:5aff:fe38:6f86 \
             prefixlen 16 alias deprecated link0
     # route add -inet6 2002:: -prefixlen 16 ::1
     # route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0

>How-To-Repeat:

Configure the system as above and try to talk to any a machine with
a 6to4 address.  You can observe the traffic with tcpdump.

e.g. "tcpdump -i ne0 -n -p not udp and not tcp and not arp" will
remove most of the extranious packets.

>Fix:

Use "anycast" rather than "deprecated" so that the kernel will
choose a different IPv6 source address.

     # ifconfig ne0 inet 133.4.5.6 netmask 0xffffff00
     # ifconfig stf0 inet6 2002:8504:0506:: prefixlen 16 alias anycast link0
     # route add -inet6 2002:: -prefixlen 16 ::1
     # route change -inet6 2002:: -prefixlen 16 ::1 -ifp stf0

I tested this on a FreeBSD 4.11 box but I don't believe this part of the
stack has changed much since then.  The above documentation is from
FreeBSD 8.


>Release-Note:
>Audit-Trail:
>Unformatted:
