drop packet with strange outer IPv4 address.

kame/kame/man/man4/stf.4

@@ -1,4 +1,4 @@
-.\"     $KAME: stf.4,v 1.13 2000/03/12 13:03:17 itojun Exp $
+.\"     $KAME: stf.4,v 1.14 2000/03/12 17:23:08 itojun Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 .\" All rights reserved.
@@ -109,37 +109,35 @@ To prevent possible DoS attacks,
 interface filters out the following packets:
 .Bl -bullet
 .It
-Packets with IPv4 multicast address
-as outer destination
+Packets with IPv4 multicast address as outer IPv4 source/destination
 .Pq Li 224.0.0.0/4
 .It
-Packets with 6to4 address based on IPv4 multicast address, as inner destination/source
-.Pq Li 2002:e000::/24
+Packets with IPv4 unspecified addrss as outer IPv4 source/destination
+.Pq Li 0.0.0.0/32
 .It
-Packets with 6to4 address based on 0.0.0.0, as inner destination/source
-.Pq Li 2002:0000:0000::/48
+Packets with limited broadcast address as outer IPv4 source/destination
+.Pq Li 255.255.255.255/32
 .It
-Packets with 6to4 address based on 255.255.255.255,
-as inner destination/source
-.Pq Li 2002:ffff:ffff::/48
+Packets with subnet broadcast address as outer IPv4 source/destination.
+The check is made against subnet broadcast addresses for
+all of the directly connected subnets.
 .It
-Packets with 6to4 address based on subnet broadcast address,
-as inner destination/source
-.It
-Packets with 6to4 address as inner source,
-when the inner source does not match the IPv4 topology.
+Packets with outer IPv4 source address that does not match the IPv4 topology.
 IPv4 routing table will be queried against inner source.
 If the incoming interface for the packet does not match the IPv4 outgoing
 interface for the IPv4 address derived from the inner source,
 packet will be dropped
 .Pq similar to ingress filters .
+.It
+The same set of rules are appplied to inner IPv6 address,
+if 6to4 addresses are used.
 .El
 .Pp
 You may also want to reject encapsulated IPv6 packets with
 suspicious 6to4 addresses, like
 .Li 2002:7f00::/24.
-You may also want to check inner IPv6 address and outer IPv4 address,
-to make sure they look sane with the topology of your network.
+You may also want to check if inner IPv6 address and outer IPv4 address
+make sense, based on local network topology,
 .\"
 .Sh EXAMPLES
 Note that

kame/sys/net/if_stf.c

@@ -1,4 +1,4 @@
-/*	$KAME: if_stf.c,v 1.22 2000/03/12 12:49:28 itojun Exp $	*/
+/*	$KAME: if_stf.c,v 1.23 2000/03/12 17:23:08 itojun Exp $	*/
 
 /*
  * Copyright (C) 2000 WIDE Project.
@@ -166,7 +166,8 @@ static int stf_encapcheck __P((const struct mbuf *, int, int, void *));
 static struct in6_ifaddr *stf_getsrcifa6 __P((struct ifnet *));
 static int stf_output __P((struct ifnet *, struct mbuf *, struct sockaddr *,
 	struct rtentry *));
-static int stf_checkinner __P((struct in6_addr *in6, struct ifnet *));
+static int stf_checkaddr4 __P((struct in_addr *, struct ifnet *));
+static int stf_checkaddr6 __P((struct in6_addr *, struct ifnet *));
 #if defined(__bsdi__) && _BSDI_VERSION >= 199802
 static void stf_rtrequest __P((int, struct rtentry *, struct rt_addrinfo *));
 #else
@@ -427,30 +428,23 @@ stf_output(ifp, m, dst, rt)
 }
 
 static int
-stf_checkinner(in6, ifp)
-	struct in6_addr *in6;
+stf_checkaddr4(in, ifp)
+	struct in_addr *in;
 	struct ifnet *ifp;	/* incoming interface */
 {
-	struct in_addr *in;
 	struct in_ifaddr *ia4;
 
-	/* for now, we only check 6to4 addresses */
-	if (!IN6_IS_ADDR_6TO4(in6))
-		return 0;
-
-	in = GET_V4(in6);
-
 	/*
 	 * reject packets with the following address:
-	 * 6to4(multicast) 6to4(0.0.0.0) 6to4(255.255.255.255)
+	 * 224.0.0.0/4 0.0.0.0/32 255.255.255.255/32
 	 */
 	if (IN_MULTICAST(in->s_addr) || in->s_addr == INADDR_ANY ||
 	    in->s_addr == INADDR_BROADCAST) {
 		return -1;
 	}
 
 	/*
-	 * reject packets with 6to4(broadcast)
+	 * reject packets with broadcast
 	 */
 #if defined(__OpenBSD__) || defined(__NetBSD__)
 	for (ia4 = in_ifaddr.tqh_first; ia4; ia4 = ia4->ia_list.tqe_next)
@@ -491,6 +485,18 @@ stf_checkinner(in6, ifp)
 	return 0;
 }
 
+static int
+stf_checkaddr6(in6, ifp)
+	struct in6_addr *in6;
+	struct ifnet *ifp;	/* incoming interface */
+{
+	/* for now, we only check 6to4 addresses */
+	if (!IN6_IS_ADDR_6TO4(in6))
+		return 0;
+
+	return stf_checkaddr4(GET_V4(in6), ifp);
+}
+
 void
 #if __STDC__
 in_stf_input(struct mbuf *m, ...)
@@ -530,8 +536,12 @@ in_stf_input(m, va_alist)
 
 	ifp = &sc->sc_if;
 
-	/* reject packets with multicast outer destination */
-	if (IN_MULTICAST(ip->ip_dst.s_addr)) {
+	/*
+	 * perform sanity check against outer src/dst.
+	 * for source, perform ingress filter as well.
+	 */
+	if (stf_checkaddr4(&ip->ip_dst, NULL) < 0 ||
+	    stf_checkaddr4(&ip->ip_src, m->m_pkthdr.rcvif) < 0) {
 		m_freem(m);
 		return;
 	}
@@ -550,8 +560,8 @@ in_stf_input(m, va_alist)
 	 * perform sanity check against inner src/dst.
 	 * for source, perform ingress filter as well.
 	 */
-	if (stf_checkinner(&ip6->ip6_dst, NULL) < 0 ||
-	    stf_checkinner(&ip6->ip6_src, m->m_pkthdr.rcvif) < 0) {
+	if (stf_checkaddr6(&ip6->ip6_dst, NULL) < 0 ||
+	    stf_checkaddr6(&ip6->ip6_src, m->m_pkthdr.rcvif) < 0) {
 		m_freem(m);
 		return;
 	}