Re: allow 240/4 in various network daemons

2022-05-28 Thread Theo de Raadt 
Martin Schröder  wrote:

> Am Sa., 28. Mai 2022 um 22:46 Uhr schrieb Seth David Schoen
> :
> > We're also interested in talking about whether there's an appropriate
> > path for supporting non-broadcast use of addresses within 127/8, our
> > most controversial change.  In Linux and FreeBSD, we're experimenting
> 
> IPv6 is now older than IPv4 was when v6 was introduced.
> You are beating a very dead horse.

Martin, that comment is unhelpful.

Re: allow 240/4 in various network daemons

2022-05-28 Thread Geoff Steckel 




On 5/28/22 5:22 PM, Crystal Kolipe wrote:


There certainly are people using this behaviour of the loopback address(es)
in creative ways on non-OpenBSD systems:

https://timkay.com/solo/

Changing it on those systems will likely break various users' scripts in
unexpected ways.

The script linked above doesn't work in it's original form on OpenBSD
precisely because of the different behaviour of the 127/8 subnet.

Not that I really care, because a solution to the _real_ problem already
exists.  It's called IPv6.


True. But I would have to buy access to a VPN because
my service provider hasn't extended IPv6 service to my location.
Hurricane Electric isn't useful because some sites care about geography
and they can't determine where a HE user is located.

Re: allow 240/4 in various network daemons

2022-05-28 Thread Martin Schröder 
Am Sa., 28. Mai 2022 um 22:46 Uhr schrieb Seth David Schoen
:
> We're also interested in talking about whether there's an appropriate
> path for supporting non-broadcast use of addresses within 127/8, our
> most controversial change.  In Linux and FreeBSD, we're experimenting

IPv6 is now older than IPv4 was when v6 was introduced.
You are beating a very dead horse.

Best
Martin

Re: allow 240/4 in various network daemons

2022-05-28 Thread Crystal Kolipe 
On Sat, May 28, 2022 at 01:46:18PM -0700, Seth David Schoen wrote:
> We're also interested in talking about whether there's an appropriate
> path for supporting non-broadcast use of addresses within 127/8, our
> most controversial change.  In Linux and FreeBSD, we're experimenting
> with the ideas of having a sysctl that defines the prefix length for
> loopback on the 127 network (with the default value being 8), or making
> the loopback interface honor netmasks in exactly the same way as other
> network interfaces do (so if you set 255.0.0.0 as the mask on lo, then
> it will believe 127.2.3.4 is reachable via loopback, while if you set
> 255.255.255.255 as the mask, it will only believe 127.0.0.1 is
> reachable).  We think other systems will be willing to let people opt
> into this change, but will likely not want to make it the default due to
> concerns about possible existing uses for loopback addresses other than
> 127.0.0.1.

There certainly are people using this behaviour of the loopback address(es)
in creative ways on non-OpenBSD systems:

https://timkay.com/solo/

Changing it on those systems will likely break various users' scripts in
unexpected ways.

The script linked above doesn't work in it's original form on OpenBSD
precisely because of the different behaviour of the 127/8 subnet.

Not that I really care, because a solution to the _real_ problem already
exists.  It's called IPv6.

Re: allow 240/4 in various network daemons

2022-05-28 Thread Seth David Schoen 
Theo de Raadt writes:

> This discussion relates to only one step of a number of potential increments.
> 
> I believe it is a bad idea to conflate all of these potential address
> space recovery changes as the same singular discussion.  Not all the
> decisions being made on intranets are sane.  Not all of these proposals
> make sense.  Not all of these proposals make sense right away.
> 
> Instead, they should be done piecemeal, and each one should be discussed
> seperately, or we will lose the way.

Thank you for merging the patches that improve OpenBSD's support for 0/8
and 240/4, and thank you again for making the lowest address broadcast
change years ago.

We'd be happy to hear more of your ideas about the best way to promote
and discuss these changes.  As you may be aware, software support for
them is pretty good (and getting better all the time), while the IETF
community has not been very enthusiastic about our drafts so far.

We're also interested in talking about whether there's an appropriate
path for supporting non-broadcast use of addresses within 127/8, our
most controversial change.  In Linux and FreeBSD, we're experimenting
with the ideas of having a sysctl that defines the prefix length for
loopback on the 127 network (with the default value being 8), or making
the loopback interface honor netmasks in exactly the same way as other
network interfaces do (so if you set 255.0.0.0 as the mask on lo, then
it will believe 127.2.3.4 is reachable via loopback, while if you set
255.255.255.255 as the mask, it will only believe 127.0.0.1 is
reachable).  We think other systems will be willing to let people opt
into this change, but will likely not want to make it the default due to
concerns about possible existing uses for loopback addresses other than
127.0.0.1.

(There was also a CVE affecting some software under Linux due to a
kernel option where one could opt in to giving 127/8 both loopback and
non-loopback semantics at the same time, which turns out to be a bad
idea because then hosts on a LAN can address sockets that think they're
bound only to loopback addresses!  This is definitely not a good idea.)

There also seems to be a strange ambiguity about whether OSes currently
treat all of 127/8 as usable loopback or only treat 127.0.0.1 as reachable
but effectively reserve all of the rest for future use.  My impression
is that either behavior is somewhat defensible under current standards,
but I might have missed some language in an RFC that officially rules
out one or the other.

Re: allow 240/4 in various network daemons

2022-05-06 Thread Tom Smyth 
I would agree with the diff.. @claudio  (for what it is worth)

in principle 240.0.0.0/4 was reserved for future use in the past...
so  changing that today makes sense to me ...


On Fri, 6 May 2022 at 13:20, Claudio Jeker  wrote:
>
> On Thu, May 05, 2022 at 11:37:24AM +0200, Claudio Jeker wrote:
> > So most routing daemons and other network daemons like pppd do not allow
> > 240/4 as IPs because they check the IP against IN_BADCLASS().
> > I think it is time to remove this restriction.
> >
> > Now there is another magical network 0.0.0.0/8 which is not allowed in
> > some but not all of the routing daemons. Not sure if that should be
> > removed or blocked in all daemons.
>
> The discussion about this diff totally derailed so lets try again. Anyone
> wants to OK this?
>
> --
> :wq Claudio
>
> Index: usr.sbin/bgpd/kroute.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
> retrieving revision 1.244
> diff -u -p -r1.244 kroute.c
> --- usr.sbin/bgpd/kroute.c  8 Mar 2022 12:58:57 -   1.244
> +++ usr.sbin/bgpd/kroute.c  5 May 2022 08:48:27 -
> @@ -1448,12 +1448,11 @@ kr_redistribute(int type, struct ktable
> return;
>
> /*
> -* We consider the loopback net, multicast and experimental addresses
> +* We consider the loopback net and multicast addresses
>  * as not redistributable.
>  */
> a = ntohl(kr->prefix.s_addr);
> -   if (IN_MULTICAST(a) || IN_BADCLASS(a) ||
> -   (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
> +   if (IN_MULTICAST(a) || (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
> return;
>
> /* Check if the nexthop is the loopback addr. */
> Index: usr.sbin/bgpd/rde.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
> retrieving revision 1.544
> diff -u -p -r1.544 rde.c
> --- usr.sbin/bgpd/rde.c 22 Mar 2022 10:53:08 -  1.544
> +++ usr.sbin/bgpd/rde.c 5 May 2022 08:48:49 -
> @@ -1790,10 +1790,10 @@ bad_flags:
> UPD_READ(_addr, p, plen, 4);
> /*
>  * Check if the nexthop is a valid IP address. We consider
> -* multicast and experimental addresses as invalid.
> +* multicast addresses as invalid.
>  */
> tmp32 = ntohl(nexthop.v4.s_addr);
> -   if (IN_MULTICAST(tmp32) || IN_BADCLASS(tmp32)) {
> +   if (IN_MULTICAST(tmp32)) {
> rde_update_err(peer, ERR_UPDATE, ERR_UPD_NEXTHOP,
> op, len);
> return (-1);
> Index: usr.sbin/eigrpd/util.c
> ===
> RCS file: /cvs/src/usr.sbin/eigrpd/util.c,v
> retrieving revision 1.10
> diff -u -p -r1.10 util.c
> --- usr.sbin/eigrpd/util.c  7 Dec 2018 08:40:54 -   1.10
> +++ usr.sbin/eigrpd/util.c  5 May 2022 08:53:31 -
> @@ -224,7 +224,7 @@ bad_addr_v4(struct in_addr addr)
>
> if (((a >> IN_CLASSA_NSHIFT) == 0) ||
> ((a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) ||
> -   IN_MULTICAST(a) || IN_BADCLASS(a))
> +   IN_MULTICAST(a))
> return (1);
>
> return (0);
> Index: usr.sbin/ldpd/util.c
> ===
> RCS file: /cvs/src/usr.sbin/ldpd/util.c,v
> retrieving revision 1.5
> diff -u -p -r1.5 util.c
> --- usr.sbin/ldpd/util.c7 Dec 2018 08:40:54 -   1.5
> +++ usr.sbin/ldpd/util.c5 May 2022 08:54:03 -
> @@ -223,7 +223,7 @@ bad_addr_v4(struct in_addr addr)
>
> if (((a >> IN_CLASSA_NSHIFT) == 0) ||
> ((a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) ||
> -   IN_MULTICAST(a) || IN_BADCLASS(a))
> +   IN_MULTICAST(a))
> return (1);
>
> return (0);
> Index: usr.sbin/mrouted/inet.c
> ===
> RCS file: /cvs/src/usr.sbin/mrouted/inet.c,v
> retrieving revision 1.6
> diff -u -p -r1.6 inet.c
> --- usr.sbin/mrouted/inet.c 21 Apr 2013 06:42:43 -  1.6
> +++ usr.sbin/mrouted/inet.c 5 May 2022 08:57:09 -
> @@ -36,7 +36,6 @@ inet_valid_host(u_int32_t naddr)
>  addr = ntohl(naddr);
>
>  return (!(IN_MULTICAST(addr) ||
> - IN_BADCLASS (addr) ||
>   (addr & 0xff00) == 0));
>  }
>
> @@ -83,7 +82,7 @@ inet_valid_subnet(u_int32_t nsubnet, u_i
> (subnet & 0xff00) == 0x7f00 ||
> (subnet & 0xff00) == 0x) return (FALSE);
>  }
> -else if (IN_CLASSD(subnet) || IN_BADCLASS(subnet)) {
> +else if (IN_CLASSD(subnet)) {
> /* Above Class C address space */
> return (FALSE);
>  }
> Index: usr.sbin/ospfd/kroute.c
> ===
> RCS file:

Re: allow 240/4 in various network daemons

2022-05-06 Thread Theo Buehler 
On Fri, May 06, 2022 at 02:11:46PM +0200, Claudio Jeker wrote:
> On Thu, May 05, 2022 at 11:37:24AM +0200, Claudio Jeker wrote:
> > So most routing daemons and other network daemons like pppd do not allow
> > 240/4 as IPs because they check the IP against IN_BADCLASS().
> > I think it is time to remove this restriction.
> > 
> > Now there is another magical network 0.0.0.0/8 which is not allowed in
> > some but not all of the routing daemons. Not sure if that should be
> > removed or blocked in all daemons.
> 
> The discussion about this diff totally derailed so lets try again. Anyone
> wants to OK this?

ok tb

Re: allow 240/4 in various network daemons

2022-05-06 Thread Claudio Jeker 
On Thu, May 05, 2022 at 11:37:24AM +0200, Claudio Jeker wrote:
> So most routing daemons and other network daemons like pppd do not allow
> 240/4 as IPs because they check the IP against IN_BADCLASS().
> I think it is time to remove this restriction.
> 
> Now there is another magical network 0.0.0.0/8 which is not allowed in
> some but not all of the routing daemons. Not sure if that should be
> removed or blocked in all daemons.

The discussion about this diff totally derailed so lets try again. Anyone
wants to OK this?
 
-- 
:wq Claudio

Index: usr.sbin/bgpd/kroute.c
===
RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
retrieving revision 1.244
diff -u -p -r1.244 kroute.c
--- usr.sbin/bgpd/kroute.c  8 Mar 2022 12:58:57 -   1.244
+++ usr.sbin/bgpd/kroute.c  5 May 2022 08:48:27 -
@@ -1448,12 +1448,11 @@ kr_redistribute(int type, struct ktable 
return;
 
/*
-* We consider the loopback net, multicast and experimental addresses
+* We consider the loopback net and multicast addresses
 * as not redistributable.
 */
a = ntohl(kr->prefix.s_addr);
-   if (IN_MULTICAST(a) || IN_BADCLASS(a) ||
-   (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
+   if (IN_MULTICAST(a) || (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
return;
 
/* Check if the nexthop is the loopback addr. */
Index: usr.sbin/bgpd/rde.c
===
RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
retrieving revision 1.544
diff -u -p -r1.544 rde.c
--- usr.sbin/bgpd/rde.c 22 Mar 2022 10:53:08 -  1.544
+++ usr.sbin/bgpd/rde.c 5 May 2022 08:48:49 -
@@ -1790,10 +1790,10 @@ bad_flags:
UPD_READ(_addr, p, plen, 4);
/*
 * Check if the nexthop is a valid IP address. We consider
-* multicast and experimental addresses as invalid.
+* multicast addresses as invalid.
 */
tmp32 = ntohl(nexthop.v4.s_addr);
-   if (IN_MULTICAST(tmp32) || IN_BADCLASS(tmp32)) {
+   if (IN_MULTICAST(tmp32)) {
rde_update_err(peer, ERR_UPDATE, ERR_UPD_NEXTHOP,
op, len);
return (-1);
Index: usr.sbin/eigrpd/util.c
===
RCS file: /cvs/src/usr.sbin/eigrpd/util.c,v
retrieving revision 1.10
diff -u -p -r1.10 util.c
--- usr.sbin/eigrpd/util.c  7 Dec 2018 08:40:54 -   1.10
+++ usr.sbin/eigrpd/util.c  5 May 2022 08:53:31 -
@@ -224,7 +224,7 @@ bad_addr_v4(struct in_addr addr)
 
if (((a >> IN_CLASSA_NSHIFT) == 0) ||
((a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) ||
-   IN_MULTICAST(a) || IN_BADCLASS(a))
+   IN_MULTICAST(a))
return (1);
 
return (0);
Index: usr.sbin/ldpd/util.c
===
RCS file: /cvs/src/usr.sbin/ldpd/util.c,v
retrieving revision 1.5
diff -u -p -r1.5 util.c
--- usr.sbin/ldpd/util.c7 Dec 2018 08:40:54 -   1.5
+++ usr.sbin/ldpd/util.c5 May 2022 08:54:03 -
@@ -223,7 +223,7 @@ bad_addr_v4(struct in_addr addr)
 
if (((a >> IN_CLASSA_NSHIFT) == 0) ||
((a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) ||
-   IN_MULTICAST(a) || IN_BADCLASS(a))
+   IN_MULTICAST(a))
return (1);
 
return (0);
Index: usr.sbin/mrouted/inet.c
===
RCS file: /cvs/src/usr.sbin/mrouted/inet.c,v
retrieving revision 1.6
diff -u -p -r1.6 inet.c
--- usr.sbin/mrouted/inet.c 21 Apr 2013 06:42:43 -  1.6
+++ usr.sbin/mrouted/inet.c 5 May 2022 08:57:09 -
@@ -36,7 +36,6 @@ inet_valid_host(u_int32_t naddr)
 addr = ntohl(naddr);
 
 return (!(IN_MULTICAST(addr) ||
- IN_BADCLASS (addr) ||
  (addr & 0xff00) == 0));
 }
 
@@ -83,7 +82,7 @@ inet_valid_subnet(u_int32_t nsubnet, u_i
(subnet & 0xff00) == 0x7f00 ||
(subnet & 0xff00) == 0x) return (FALSE);
 }
-else if (IN_CLASSD(subnet) || IN_BADCLASS(subnet)) {
+else if (IN_CLASSD(subnet)) {
/* Above Class C address space */
return (FALSE);
 }
Index: usr.sbin/ospfd/kroute.c
===
RCS file: /cvs/src/usr.sbin/ospfd/kroute.c,v
retrieving revision 1.114
diff -u -p -r1.114 kroute.c
--- usr.sbin/ospfd/kroute.c 20 Aug 2020 03:09:28 -  1.114
+++ usr.sbin/ospfd/kroute.c 5 May 2022 08:54:30 -
@@ -565,12 +565,11 @@ kr_redist_eval(struct kroute *kr, struct
goto dont_redistribute;
 
/*
-* We consider the loopback net, multicast and experimental addresses
+* We consider the

Re: allow 240/4 in various network daemons

2022-05-05 Thread Stuart Henderson 
On 2022/05/05 15:28, Jeroen Massar wrote:
> Though they did it with 1.0.0.0/8 (though that is just a huge network 
> telescope).

No this still does not work reliably

Re: allow 240/4 in various network daemons

2022-05-05 Thread Theo de Raadt 
It is like you are trying to predict the next 20 years, but I'm sorry
I find it too confusing.

Jeroen Massar  wrote:

> > On 5 May 2022, at 15:36, Theo de Raadt  wrote:
> > 
> > Jeroen Massar  wrote:
> > 
> >> I thus mostly see these odd prefixes (0/8, 127/8, 240/4) as extra RFC1918 
> >> space
> >> for those who do want to deploy more IPv4 as they can't be arsed after 
> >> almost
> >> 30 years to finally do this IPv6 thing...
> > 
> > But that's the dangerous part.
> > 
> > If the operating systems suddenly allow use of this space for anything, and
> 
> While security sensitive admins will too, there are way too many hosts that 
> have uptimes of several years and that will never be upgraded.
> Rolling out such a change so that it is going to matter will be even slower 
> than an IPv6 rollout... decades.
> 
> There are still stats out there which show how much ancient Android, or even 
> bare normal Linux is out there, and not forget about all the Windows boxes.
> 
> Globally using these magic prefixes will thus become magic; operations teams 
> will never accept that debugging challenge, they have other things to do (in 
> the large corps: delivering ads, and those have to be delivered for sure, 
> hence why we have HTTPS everywhere now).
> These magic prefixes don't have the properties of delivering ads, thus very 
> unlikely those types will use them for that (global routing).
> 
> > everyone considers these address blocks new free-for-all new rfc1918 space,
> > THEN the result will be that these spaces can never be globally announced 
> > later.
> 
> IMHO they should not be, folks should be moving to IPv6 for global addresses.
> 
> If the powers that be decide that it is "globally unique routeable space", 
> then I wish folks a lot of lot with debugging that.
> 
> > You are suggesting facts on the ground should be allowed to beat the
> > establishment of a policy.
> 
> In case a policy is needed first, then one would have to wait for patching 
> too ;)
> 
> 
> As an avid IPv6 user, IPv4 is only as compatibility on the edge for me, these
> changes thus do not directly affect me (till the moment somebody wants to use 
> it globally and start breaking things).
> 
> Greets,
>  Jeroen
> 
>

Re: allow 240/4 in various network daemons

2022-05-05 Thread Theo de Raadt 
Jeroen Massar  wrote:

> I thus mostly see these odd prefixes (0/8, 127/8, 240/4) as extra RFC1918 
> space
> for those who do want to deploy more IPv4 as they can't be arsed after almost
> 30 years to finally do this IPv6 thing...

But that's the dangerous part.

If the operating systems suddenly allow use of this space for anything, and
everyone considers these address blocks new free-for-all new rfc1918 space,
THEN the result will be that these spaces can never be globally announced later.

You are suggesting facts on the ground should be allowed to beat the
establishment of a policy.

Re: allow 240/4 in various network daemons

2022-05-05 Thread Theo de Raadt 
This discussion relates to only one step of a number of potential increments.

I believe it is a bad idea to conflate all of these potential address
space recovery changes as the same singular discussion.  Not all the
decisions being made on intranets are sane.  Not all of these proposals
make sense.  Not all of these proposals make sense right away.

Instead, they should be done piecemeal, and each one should be discussed
seperately, or we will lose the way.

Some of these address space changes will NEVER be globabaly routable
because it has already been stomped on by squatters and will create
visibility issues, or maybe NEVER is a decade hence.  Other parts of
thes address space changes have the potential for becoming globally
routed.  It is important to be careful and not just turn it into a free-for-all
where people will make further bad decisions.

Jeroen Massar  wrote:

> Hi Claudio,
> 
> Why not update the BADCLASS check?
> Though likely for IPv4 it will reduce to 0 items at one point and then can be 
> eliminated indeed.
> 
> 
> Note that there are checks for loopback (127.0.0.0/8), there are a bunch of 
> organisations that started using everything but 127.0.0.0/24 (thus 127.0.0.1 
> specifically) in their internal networks, routed, just like a normal prefix; 
> as that gives one kinda easily a whole /8 minus one /24.
> Same for 0.0.0.0/8, there are orgs that instead of finally upgrading to IPv6 
> just started using that, next to 240/8 and whatever they could find.
> 
> Greets,
>  Jeroen
>

allow 240/4 in various network daemons

2022-05-05 Thread Claudio Jeker 
So most routing daemons and other network daemons like pppd do not allow
240/4 as IPs because they check the IP against IN_BADCLASS().
I think it is time to remove this restriction.

Now there is another magical network 0.0.0.0/8 which is not allowed in
some but not all of the routing daemons. Not sure if that should be
removed or blocked in all daemons.

-- 
:wq Claudio

Index: usr.sbin/bgpd/kroute.c
===
RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
retrieving revision 1.244
diff -u -p -r1.244 kroute.c
--- usr.sbin/bgpd/kroute.c  8 Mar 2022 12:58:57 -   1.244
+++ usr.sbin/bgpd/kroute.c  5 May 2022 08:48:27 -
@@ -1448,12 +1448,11 @@ kr_redistribute(int type, struct ktable 
return;
 
/*
-* We consider the loopback net, multicast and experimental addresses
+* We consider the loopback net and multicast addresses
 * as not redistributable.
 */
a = ntohl(kr->prefix.s_addr);
-   if (IN_MULTICAST(a) || IN_BADCLASS(a) ||
-   (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
+   if (IN_MULTICAST(a) || (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
return;
 
/* Check if the nexthop is the loopback addr. */
Index: usr.sbin/bgpd/rde.c
===
RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
retrieving revision 1.544
diff -u -p -r1.544 rde.c
--- usr.sbin/bgpd/rde.c 22 Mar 2022 10:53:08 -  1.544
+++ usr.sbin/bgpd/rde.c 5 May 2022 08:48:49 -
@@ -1790,10 +1790,10 @@ bad_flags:
UPD_READ(_addr, p, plen, 4);
/*
 * Check if the nexthop is a valid IP address. We consider
-* multicast and experimental addresses as invalid.
+* multicast addresses as invalid.
 */
tmp32 = ntohl(nexthop.v4.s_addr);
-   if (IN_MULTICAST(tmp32) || IN_BADCLASS(tmp32)) {
+   if (IN_MULTICAST(tmp32)) {
rde_update_err(peer, ERR_UPDATE, ERR_UPD_NEXTHOP,
op, len);
return (-1);
Index: usr.sbin/eigrpd/util.c
===
RCS file: /cvs/src/usr.sbin/eigrpd/util.c,v
retrieving revision 1.10
diff -u -p -r1.10 util.c
--- usr.sbin/eigrpd/util.c  7 Dec 2018 08:40:54 -   1.10
+++ usr.sbin/eigrpd/util.c  5 May 2022 08:53:31 -
@@ -224,7 +224,7 @@ bad_addr_v4(struct in_addr addr)
 
if (((a >> IN_CLASSA_NSHIFT) == 0) ||
((a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) ||
-   IN_MULTICAST(a) || IN_BADCLASS(a))
+   IN_MULTICAST(a))
return (1);
 
return (0);
Index: usr.sbin/ldpd/util.c
===
RCS file: /cvs/src/usr.sbin/ldpd/util.c,v
retrieving revision 1.5
diff -u -p -r1.5 util.c
--- usr.sbin/ldpd/util.c7 Dec 2018 08:40:54 -   1.5
+++ usr.sbin/ldpd/util.c5 May 2022 08:54:03 -
@@ -223,7 +223,7 @@ bad_addr_v4(struct in_addr addr)
 
if (((a >> IN_CLASSA_NSHIFT) == 0) ||
((a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) ||
-   IN_MULTICAST(a) || IN_BADCLASS(a))
+   IN_MULTICAST(a))
return (1);
 
return (0);
Index: usr.sbin/mrouted/inet.c
===
RCS file: /cvs/src/usr.sbin/mrouted/inet.c,v
retrieving revision 1.6
diff -u -p -r1.6 inet.c
--- usr.sbin/mrouted/inet.c 21 Apr 2013 06:42:43 -  1.6
+++ usr.sbin/mrouted/inet.c 5 May 2022 08:57:09 -
@@ -36,7 +36,6 @@ inet_valid_host(u_int32_t naddr)
 addr = ntohl(naddr);
 
 return (!(IN_MULTICAST(addr) ||
- IN_BADCLASS (addr) ||
  (addr & 0xff00) == 0));
 }
 
@@ -83,7 +82,7 @@ inet_valid_subnet(u_int32_t nsubnet, u_i
(subnet & 0xff00) == 0x7f00 ||
(subnet & 0xff00) == 0x) return (FALSE);
 }
-else if (IN_CLASSD(subnet) || IN_BADCLASS(subnet)) {
+else if (IN_CLASSD(subnet)) {
/* Above Class C address space */
return (FALSE);
 }
Index: usr.sbin/ospfd/kroute.c
===
RCS file: /cvs/src/usr.sbin/ospfd/kroute.c,v
retrieving revision 1.114
diff -u -p -r1.114 kroute.c
--- usr.sbin/ospfd/kroute.c 20 Aug 2020 03:09:28 -  1.114
+++ usr.sbin/ospfd/kroute.c 5 May 2022 08:54:30 -
@@ -565,12 +565,11 @@ kr_redist_eval(struct kroute *kr, struct
goto dont_redistribute;
 
/*
-* We consider the loopback net, multicast and experimental addresses
+* We consider the loopback net and multicast addresses
 * as not redistributable.
 */
a = ntohl(kr->prefix.s_addr);
-   if (IN_MULTICAST(a) || IN_BADCLASS(a) ||
-