On 04/11/16(Fri) 10:09, Martin Pieuchot wrote:
> On 02/11/16(Wed) 10:19, Martin Pieuchot wrote:
> > On 25/10/16(Tue) 22:13, Markus Friedl wrote:
> > >
> > > > Am 25.10.2016 um 17:13 schrieb Mike Belopuhov <[email protected]>:
> > > >
> > > >
> > > > There are apparently some discussions in infomational RFCs regarding
> > > > this issue. For instance https://tools.ietf.org/html/rfc3756
> > > > <https://tools.ietf.org/html/rfc3756> states:
> > > >
> > > > More specifically, the currently used key agreement protocol, IKE,
> > > > suffers from a chicken-and-egg problem [8]: one needs an IP address
> > > > to run IKE, IKE is needed to establish IPsec SAs, and IPsec SAs are
> > > > required to configure an IP address.
> > > >
> > > > Which goes one step further: how to protect all ND in general, but is
> > > > still applicable in our situation. There were attempts to protect ND
> > > > in alternative way, e.g. SEND (https://tools.ietf.org/html/rfc3971
> > > > <https://tools.ietf.org/html/rfc3971>).
> > > > FreeBSD has picked up on it and has had a SoC project which seems to
> > > > be integrated right now:
> > > >
> > > > https://wiki.freebsd.org/SOC2009AnaKukec
> > > > <https://wiki.freebsd.org/SOC2009AnaKukec>
> > > > https://www.freebsd.org/cgi/man.cgi?query=send&sektion=4
> > > > <https://www.freebsd.org/cgi/man.cgi?query=send&sektion=4>
> > > >
> > > > Would it be possible for us to disable the check and always set saddr6
> > > > to NULL for now?
> > >
> > > Fine w/me.
> > >
> > > Or we could check if the packet has been IPsec encapsulated
> > > and set saddr6 to NULL in this case.
> >
> > Is this fixed? Anything we're still waiting for?
>
> So something like that? FWIW I'm happy with fewer in6ifa_ifpwithaddr().
naddy@ confirmed this diff fixes his tunnel mode setup, ok?
> Index: netinet6/nd6_nbr.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet6/nd6_nbr.c,v
> retrieving revision 1.110
> diff -u -p -r1.110 nd6_nbr.c
> --- netinet6/nd6_nbr.c 23 Aug 2016 11:03:10 -0000 1.110
> +++ netinet6/nd6_nbr.c 4 Nov 2016 09:02:47 -0000
> @@ -433,54 +433,23 @@ nd6_ns_output(struct ifnet *ifp, struct
> }
> ip6->ip6_dst = dst_sa.sin6_addr;
> if (!dad) {
> - /*
> - * RFC2461 7.2.2:
> - * "If the source address of the packet prompting the
> - * solicitation is the same as one of the addresses assigned
> - * to the outgoing interface, that address SHOULD be placed
> - * in the IP Source Address of the outgoing solicitation.
> - * Otherwise, any one of the addresses assigned to the
> - * interface should be used."
> - *
> - * We use the source address for the prompting packet
> - * (saddr6), if:
> - * - saddr6 is given from the caller (by giving "ln"), and
> - * - saddr6 belongs to the outgoing interface.
> - * Otherwise, we perform the source address selection as usual.
> - */
> - struct ip6_hdr *hip6; /* hold ip6 */
> - struct in6_addr *saddr6;
> + /* Perform source address selection. */
> + struct rtentry *rt;
>
> - if (ln && ln->ln_hold) {
> - hip6 = mtod(ln->ln_hold, struct ip6_hdr *);
> - /* XXX pullup? */
> - if (sizeof(*hip6) < ln->ln_hold->m_len)
> - saddr6 = &hip6->ip6_src;
> - else
> - saddr6 = NULL;
> - } else
> - saddr6 = NULL;
> - if (saddr6 && in6ifa_ifpwithaddr(ifp, saddr6))
> - src_sa.sin6_addr = *saddr6;
> - else {
> - struct rtentry *rt;
> + rt = rtalloc(sin6tosa(&dst_sa), RT_RESOLVE,
> + m->m_pkthdr.ph_rtableid);
> + if (!rtisvalid(rt)) {
> + char addr[INET6_ADDRSTRLEN];
>
> - rt = rtalloc(sin6tosa(&dst_sa), RT_RESOLVE,
> - m->m_pkthdr.ph_rtableid);
> - if (!rtisvalid(rt)) {
> - char addr[INET6_ADDRSTRLEN];
> -
> - nd6log((LOG_DEBUG,
> - "%s: source can't be determined: dst=%s\n",
> - __func__, inet_ntop(AF_INET6,
> - &dst_sa.sin6_addr, addr, sizeof(addr))));
> - rtfree(rt);
> - goto bad;
> - }
> - src_sa.sin6_addr =
> - ifatoia6(rt->rt_ifa)->ia_addr.sin6_addr;
> + nd6log((LOG_DEBUG,
> + "%s: source can't be determined: dst=%s\n",
> + __func__, inet_ntop(AF_INET6,
> + &dst_sa.sin6_addr, addr, sizeof(addr))));
> rtfree(rt);
> + goto bad;
> }
> + src_sa.sin6_addr = ifatoia6(rt->rt_ifa)->ia_addr.sin6_addr;
> + rtfree(rt);
> } else {
> /*
> * Source address for DAD packet must always be IPv6
>
