netbsd-bugs: standards/32152: RFC3849, 3879, 4193 -- patch included

Subject: standards/32152: RFC3849, 3879, 4193 -- patch included
To: None <standards-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <jakllsch@kollasch.net>
List: netbsd-bugs
Date: 11/23/2005 20:39:00
>Number:         32152
>Category:       standards
>Synopsis:       site-local addressing is depreciated, RFC4193 is unimplemented
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    standards-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Nov 23 20:39:00 +0000 2005
>Originator:     Jonathan A. Kollasch
>Release:        NetBSD 3.99.11
>Organization:
>Environment:
System: NetBSD vergon.kollasch.net 3.99.11 NetBSD 3.99.11 (VERGON) #1: Thu Nov 10 19:48:59 CST 2005 root@vergon.kollasch.net:/usr/src/sys/arch/sparc64/compile/VERGON sparc64
Architecture: sparc64
Machine: sparc64
>Description:
	RFC3879 deprecated site-local addressing. The attached patch removes
references to these addresses in non-3rd party code. Where applicable they
were replaced with addresses from RFC3849.

	An unconditionally installed reject route to RFC3849 addresses is also
in this patch. I believe this is appropriate as RFC3849 suggests these
addresses should never be used (except in documentation). If needed
unique-local address space can be used for test networks.

	This patch also implements a recommendation of section 4.3 of RFC4193.
When configured as a router rc.d/network will, by default, install a reject
route to the unique-local area of the address space. This can be overridden by
setting the ip6uniquelocal variable to YES.

>How-To-Repeat:
	Use site or unique local addresses.
>Fix:
diff -ur src.orig/etc/defaults/rc.conf src/etc/defaults/rc.conf
--- src.orig/etc/defaults/rc.conf	2005-10-15 18:26:30.000000000 -0500
+++ src/etc/defaults/rc.conf	2005-11-23 12:24:16.000000000 -0600
@@ -155,7 +155,7 @@
 ntpdate=NO  		ntpdate_flags="-b -s"	# May need '-u' thru firewall
 ppp_peers=""					# /etc/ppp/peers to call
 ip6mode=host					# host, autohost or router
-ip6sitelocal=NO					# IPv6 sitelocal addrs
+ip6uniquelocal=NO				# IPv6 unique-local forwarding 
 rtsol=NO		rtsol_flags="-a"	# for ip6mode=autohost only
 
 # Special treatment for interfaces that need to be downed on
diff -ur src.orig/etc/rc.d/network src/etc/rc.d/network
--- src.orig/etc/rc.d/network	2005-06-28 08:36:40.000000000 -0500
+++ src/etc/rc.d/network	2005-11-23 14:12:35.000000000 -0600
@@ -76,15 +76,9 @@
 		#
 		route -q add -inet6 fe80:: -prefixlen 10 ::1 -reject
 
-		# disallow site-local unicast dest without outgoing scope
-		# identifiers.
-		# If you configure site-locals without scope id (it is
-		# permissible config for routers that are not on scope
-		# boundary), you may want to comment the following one out.
+		# disallow use of RFC3849 documentation addresses
 		#
-		if ! checkyesno ip6sitelocal; then
-			route -q add -inet6 fec0:: -prefixlen 10 ::1 -reject
-		fi
+		route -q add -inet6 2001:db8:: -prefixlen 32 ::1 -reject
 
 		# disallow "internal" addresses to appear on the wire.
 		#
@@ -127,6 +121,13 @@
 		router)
 			echo 'IPv6 mode: router'
 			sysctl -qw net.inet6.ip6.forwarding=1
+
+			# disallow unique-local unicast forwarding without
+			# explicit configuration.
+			#
+			if ! checkyesno ip6uniquelocal; then
+				route -q add -inet6 fc00:: -prefixlen 7 ::1 -reject
+			fi
 			;;
 
 		autohost)
@@ -165,7 +166,7 @@
 	# configuration is possible:
 	#	inet 10.1.1.1 netmask 0xffffff00
 	#	inet 10.1.1.2 netmask 0xffffff00 alias
-	#	inet6 fec0::1 prefixlen 64 alias
+	#	inet6 2001:db8:f00d:cafe::1 prefixlen 64 alias
 	#
 	# You can put shell script fragment into /etc/ifconfig.xxN by
 	# starting a line with "!".  Refer to ifconfig.if(5) for details.
diff -ur src.orig/share/man/man5/ifconfig.if.5 src/share/man/man5/ifconfig.if.5
--- src.orig/share/man/man5/ifconfig.if.5	2002-10-12 19:46:59.000000000 -0500
+++ src/share/man/man5/ifconfig.if.5	2005-11-23 13:28:55.000000000 -0600
@@ -71,9 +71,9 @@
 inet 10.0.1.12 netmask 255.255.255.0 media 100baseTX
 inet 10.0.1.13 netmask 255.255.255.255 alias
 # let us have IPv6 address on this interface
-inet6 fec0::1 prefixlen 64 alias
+inet6 2001:db8:f00d:cafe::1 prefixlen 64 alias
 # have subnet router anycast address too
-inet6 fec0:: prefixlen 64 alias anycast
+inet6 2001:db8:f00d:cafe:: prefixlen 64 alias anycast
 .Ed
 .Pp
 The following illustrates dynamic configuration setup with
diff -ur src.orig/share/man/man5/rc.conf.5 src/share/man/man5/rc.conf.5
--- src.orig/share/man/man5/rc.conf.5	2005-11-19 13:59:24.000000000 -0600
+++ src/share/man/man5/rc.conf.5	2005-11-23 12:17:06.000000000 -0600
@@ -524,14 +524,22 @@
 .Sy rtsold
 as well, if you set the variable to
 .Dq Li autohost .
-.It Sy ip6sitelocal
+.It Sy ip6uniquelocal
 .Sq YES
 or
 .Sq NO .
-If you intend to use IPv6 site-local addresses in your site, set it to
-.Sq YES .
-Otherwise, reject routes will get installed on boot to avoid misconfiguration
-relating to site-local addresses.
+If
+.Sy ip6mode
+is
+.Dq Li router
+and
+.Sy ip6uniquelocal
+is set to
+.Sq NO
+reject routes will get installed on boot to avoid misconfiguration
+relating to unique-local addresses. If set to 
+.Sq YES
+the reject route will not be installed.
 .It Sy ipfilter
 .Sq YES
 or
diff -ur src.orig/share/sushi/system/rcconf/form src/share/sushi/system/rcconf/form
--- src.orig/share/sushi/system/rcconf/form	2005-01-11 17:00:59.000000000 -0600
+++ src/share/sushi/system/rcconf/form	2005-11-23 12:22:18.000000000 -0600
@@ -46,7 +46,7 @@
 escript:30,script2,ntpdate_flags	Flags for ntpdate
 escript:30,script2,ppp_peers	/etc/ppp/peers to call
 script:script4,ip6mode		IPv6 mode
-script:script1,ip6sitelocal	IPv6 sitelocal addresses
+script:script1,ip6uniquelocal	IPv6 unique-local forwarding on routers
 script:script1,rtsol		IPv6 autoconfig on non routers (rtsol)
 escript:30,script2,rtsol_flags	Flags to pass to rtsol
 script:script1,ifwatchd		Run ifwatchd daemon?