lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200908241148.17012.contact@saschahlusiak.de>
Date:	Mon, 24 Aug 2009 11:48:12 +0200
From:	Sascha Hlusiak <contact@...chahlusiak.de>
To:	"Rémi Denis-Courmont" <remi@...lab.net>
Cc:	netdev@...r.kernel.org
Subject: Re: [PATCH] sit: 6to4: honour routing table

Hi Rémi,

> > default via 2002:c058:6301:: dev 6to4
> >
> > A package to 2001:: would fall through the try_6to4 check to the
> >
> > IPv4-compat check and die there.
>
> I don't understand what you're trying to fix. For a 6to4 tunnel, this has
>
> always worked fine for me, as far as I remember:
>
> default via ::192.88.99.1 dev 6to4
It does work, yes, but first of all IPv4-compatible addresses are mentioned to 
be deprecated in: 
http://tools.ietf.org/html/rfc4291#section-2.5.5.1

In http://tools.ietf.org/html/rfc3068#section-2.5 the IPv6 address of the 
router is recommended to be 2002:c058:6301:: but any route over a 6to4 address 
over the tunnel device would break with an "address unreachable", as described 
in the patch.

> > This patch makes try_6to4 use the address of the Next-Hop instead,
> >
> > respecting
> >
> > the routing table. Users are encouraged to have a route 2002::/16 to the
> >
> > tunnel device anyway, making all other 6to4 hosts direct neighbours.
>
> And where exactly is that "encouragement" coming from?
Some howtos stress the importance of the 6to4 prefixlen:
"Also note that that the prefix length for a 6to4 address is 16 because of from 
network point of view, all other 6to4 enabled hosts are on the same layer 2.":
http://mirrors.deepspace6.net/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html

FreeBSD stf man page shows examples of configuring the 2002::/16 routes which 
would not work in Linux:
http://gsp.com/cgi-bin/man.cgi?section=4&topic=stf

Cisco configures routes to 2002::/16 over the interface:
http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a00801f3b4f.shtml#configs

Windows Vista automatically configures a route to 2002::/16 to the interface as 
well.

http://tools.ietf.org/html/rfc3056#section-5.3 does mention to use the target 
address as the next hop also to use the next-hop if the destination is not 
6to4 (I'd rather see it strictly following the routing table though and be 
able to restrict routing 6to4 traffic directly by altering the routing table). 

Attached patch is a compromise though which implements both but tries the 
destination address first and then the next hop. What would it break?

Cheers,
Sascha

View attachment "0001-sit-6to4-honour-routing-table.patch" of type "text/x-patch" (1303 bytes)

Download attachment "signature.asc " of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ