From jabley@buffoon.automagic.org  Mon Sep 24 09:56:20 2001
Return-Path: <jabley@buffoon.automagic.org>
Received: from buffoon.automagic.org (buffoon.automagic.org [208.185.30.208])
	by hub.freebsd.org (Postfix) with SMTP id 5DF3837B41B
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 24 Sep 2001 09:56:20 -0700 (PDT)
Received: (qmail 37673 invoked by uid 1000); 24 Sep 2001 16:56:03 -0000
Message-Id: <20010924165603.37672.qmail@buffoon.automagic.org>
Date: 24 Sep 2001 16:56:03 -0000
From: Joe Abley <jabley@automagic.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Lamont Granquist <lamont@scriptkiddie.org>
Subject: traffic destined for 127/8 addresses should be kept off the network
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         30792
>Category:       misc
>Synopsis:       traffic destined for 127/8 addresses should be kept off the network
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    ru
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 24 10:00:01 PDT 2001
>Closed-Date:    Fri Feb 1 02:42:04 PST 2002
>Last-Modified:  Fri Feb 01 02:43:05 PST 2002
>Originator:     Joe Abley
>Release:        FreeBSD 4.4-RELEASE i386
>Organization:
NLRI
>Environment:
System: FreeBSD buffoon.automagic.org 4.4-RELEASE FreeBSD 4.4-RELEASE #0: Wed Sep 19 23:42:19 EDT 2001 jabley@buffoon.automagic.org:/usr/obj/usr/src/sys/BUFFOON i386

>Description:
IP traffic with destionation addresses that (a) fall within 127/8
and (b) do not match any configured local addresses or aliases will
be sent out on the network following the default route, if there is one.

This is contrary to the specifications in RFC1122, which states that
"addresses of this form MUST NOT appear outside the host".

>How-To-Repeat:
  tcpdump

whilst

  ping 127.1.1.1

in an environment where a default exists pointing out the same interface
watched by default by tcpdump, and where 127.1.1.1 does not match any
locally-configured address or alias. The tcpdump will reveal traffic
sent out on the net with destination addresses within 127/8.

>Fix:

--- rc.network.orig	Mon Sep 24 12:49:46 2001
+++ rc.network	Mon Sep 24 12:51:09 2001
@@ -346,6 +346,10 @@
 		done
 	fi
 
+	# Add a blackhole route for 127/8 to keep traffic within
+	# that supernet off the network, per RFC1122
+	route add 127.0.0.0 -netmask 255.0.0.0 -iface lo0 -blackhole
+
 	echo -n 'Additional routing options:'
 	case ${tcp_extensions} in
 	[Yy][Ee][Ss] | '')

>Release-Note:
>Audit-Trail:

From: "Scot W. Hetzel" <scot@genroco.com>
To: <FreeBSD-gnats-submit@FreeBSD.ORG>, <jabley@automagic.org>
Cc:  
Subject: Re: misc/30792: traffic destined for 127/8 addresses should be kept off the network
Date: Mon, 24 Sep 2001 13:40:27 -0500

 This is a multi-part message in MIME format.
 
 ------=_NextPart_000_021D_01C144FE.78411E40
 Content-Type: text/plain;
 	charset="Windows-1252"
 Content-Transfer-Encoding: 7bit
 
 Another alternative to patching rc.network, is to define static_routes and
 add route_loopback to etc/defaults/rc.conf (see attached patch).
 
 We may also need do this for IPv6's loopback network.
 
 Scot
 
 
 
 ------=_NextPart_000_021D_01C144FE.78411E40
 Content-Type: application/octet-stream;
 	name="loopback.patch"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: attachment;
 	filename="loopback.patch"
 
 Index: rc.conf=0A=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A=
 RCS file: /home/ncvs/src/etc/defaults/rc.conf,v=0A=
 retrieving revision 1.53.2.40=0A=
 diff -u -r1.53.2.40 rc.conf=0A=
 --- rc.conf	2001/09/14 17:28:11	1.53.2.40=0A=
 +++ rc.conf	2001/09/24 17:47:42=0A=
 @@ -190,7 +190,7 @@=0A=
  =0A=
  ### Network routing options: ###=0A=
  defaultrouter=3D"NO"		# Set to default gateway (or NO).=0A=
 -static_routes=3D""		# Set to static route list (or leave empty).=0A=
 +static_routes=3D"loopback"	# Set to static route list (or leave empty).=0A=
  gateway_enable=3D"NO"		# Set to YES if this host will be a gateway.=0A=
  router_enable=3D"NO"		# Set to YES to enable a routing daemon.=0A=
  router=3D"routed"			# Name of routing daemon to use if enabled.=0A=
 @@ -204,6 +204,10 @@=0A=
  forward_sourceroute=3D"NO"	# do source routing (only if gateway_enable =
 is set to "YES")=0A=
  accept_sourceroute=3D"NO"		# accept source routed packets to us=0A=
  =0A=
 +# static route list.=0A=
 +route_loopback=3D"-net 127 -netmask 255.0.0.0 -iface lo0 -blackhole"=0A=
 +ipv6_route_loopback=3D"Add example IPv6 loopback route"=0A=
 +=0A=
  ### ATM interface options: ###=0A=
  atm_enable=3D"NO"			# Configure ATM interfaces (or NO).=0A=
  #atm_netif_hea0=3D"atm 1"		# Network interfaces for physical interface.=0A=
 
 ------=_NextPart_000_021D_01C144FE.78411E40--
 

From: Joe Abley <jabley@automagic.org>
To: "Scot W. Hetzel" <scot@genroco.com>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: misc/30792: traffic destined for 127/8 addresses should be kept off the network
Date: Mon, 24 Sep 2001 14:43:51 -0400

 On Mon, Sep 24, 2001 at 01:40:27PM -0500, Scot W. Hetzel wrote:
 > Another alternative to patching rc.network, is to define static_routes and
 > add route_loopback to etc/defaults/rc.conf (see attached patch).
 > 
 > We may also need do this for IPv6's loopback network.
 
 That's a nicer idea than my patch.
 
 
 Joe
State-Changed-From-To: open->feedback 
State-Changed-By: ru 
State-Changed-When: Mon Jan 21 06:01:35 PST 2002 
State-Changed-Why:  
Fixed in 5.0-CURRENT, sys/netinet/ip_output,v 1.148. 
(Packets with source address of 127/8 are not eligible as well.) 

MFC in one week. 


Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: ru 
Responsible-Changed-When: Mon Jan 21 06:01:35 PST 2002 
Responsible-Changed-Why:  

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=30792 
State-Changed-From-To: feedback->closed 
State-Changed-By: ru 
State-Changed-When: Fri Feb 1 02:42:04 PST 2002 
State-Changed-Why:  
Fixed in 4.5-STABLE, sys/netinet/ip_output.c,v 1.99.2.25. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=30792 
>Unformatted:
