d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4084e6aad2
freebsd-dev/sys/netinet6
History
Yaroslav Tykhiy a4eb4405e3 Disallow a particular kind of port theft described by the following scenario: 
Alice is too lazy to write a server application in PF-independent
	manner.  Therefore she knocks up the server using PF_INET6 only
	and allows the IPv6 socket to accept mapped IPv4 as well.  An evil
	hacker known on IRC as cheshire_cat has an account in the same
	system.  He starts a process listening on the same port as used
	by Alice's server, but in PF_INET.  As a consequence, cheshire_cat
	will distract all IPv4 traffic supposed to go to Alice's server.

Such sort of port theft was initially enabled by copying the code that
implemented the RFC 2553 semantics on IPv4/6 sockets (see inet6(4)) for
the implied case of the same owner for both connections.  After this
change, the above scenario will be impossible.  In the same setting,
the user who attempts to start his server last will get EADDRINUSE.

Of course, using IPv4 mapped to IPv6 leads to security complications
in the first place, but there is no reason to make it even more unsafe.

This change doesn't apply to KAME since it affects a FreeBSD-specific
part of the code.  It doesn't modify the out-of-box behaviour of the
TCP/IP stack either as long as mapping IPv4 to IPv6 is off by default.

MFC after:	1 month
2004-07-28 13:03:07 +00:00
..
ah6.h - correct signedness mixups. 2003-10-12 11:08:18 +00:00
ah_aesxcbcmac.c support AES XCBC MAC for AH. 2003-10-13 04:56:04 +00:00
ah_aesxcbcmac.h support AES XCBC MAC for AH. 2003-10-13 04:56:04 +00:00
ah_core.c Move the AH algorithm list from a static local function variable to 2004-03-10 04:56:54 +00:00
ah_input.c - m_cat() may free the mbuf on 2nd arg, so m_pkthdr manipulation has 2003-11-15 06:18:09 +00:00
ah_output.c - avoid hardcoded values. 2003-10-12 12:03:25 +00:00
ah.h oops, correct wrong change in previous commit. 2003-11-15 06:16:36 +00:00
dest6.c remove unused variable. 2003-10-12 15:14:33 +00:00
esp6.h
esp_aesctr.c - support AES counter mode for ESP. 2003-10-13 14:57:41 +00:00
esp_aesctr.h - support AES counter mode for ESP. 2003-10-13 14:57:41 +00:00
esp_core.c - m_cat() may free the mbuf on 2nd arg, so m_pkthdr manipulation has 2003-11-15 06:18:09 +00:00
esp_input.c - m_cat() may free the mbuf on 2nd arg, so m_pkthdr manipulation has 2003-11-15 06:18:09 +00:00
esp_output.c preparation for 64bit sequence number. 2003-11-15 05:41:41 +00:00
esp_rijndael.c cleanup rijndael API. 2003-11-11 18:58:54 +00:00
esp_rijndael.h enable aes-xcbc-mac and aes-ctr, again. 2003-11-10 10:39:14 +00:00
esp.h - support AES counter mode for ESP. 2003-10-13 14:57:41 +00:00
frag6.c add ECN support in layer-3. 2003-10-29 15:07:04 +00:00
icmp6.c Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
icmp6.h
in6_cksum.c Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
in6_gif.c add ECN support in layer-3. 2003-10-29 15:07:04 +00:00
in6_gif.h - fix typo in comments. 2003-10-08 18:26:08 +00:00
in6_ifattach.c Tweak existing header and other build infrastructure to be able to build 2004-02-26 03:53:54 +00:00
in6_ifattach.h nuku unused functions in6_nigroup_attach() and 2003-10-31 15:51:28 +00:00
in6_pcb.c Disallow a particular kind of port theft described by the following scenario: 2004-07-28 13:03:07 +00:00
in6_pcb.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
in6_prefix.c Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
in6_prefix.h
in6_proto.c Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
in6_rmx.c Introduce tcp_hostcache and remove the tcp specific metrics from 2003-11-20 20:07:39 +00:00
in6_src.c Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
in6_var.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
in6.c Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
in6.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
ip6_ecn.h add ECN support in layer-3. 2003-10-29 15:07:04 +00:00
ip6_forward.c - call ip6_output() instead of nd6_output() when ipsec tunnel 2004-02-19 14:57:22 +00:00
ip6_fw.c Do a pass over all modules in the kernel and make them return EOPNOTSUPP 2004-07-15 08:26:07 +00:00
ip6_fw.h Replace the if_name and if_unit members of struct ifnet with new members 2003-10-31 18:32:15 +00:00
ip6_id.c add randomtab for ip6_randomflowlabel(). 2003-10-01 21:45:57 +00:00
ip6_input.c Link ALTQ to the build and break with ABI for struct ifnet. Please recompile 2004-06-13 17:29:10 +00:00
ip6_mroute.c Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
ip6_mroute.h
ip6_output.c Fix a bug which I discovered recently while doing IPv6 testing at 2004-05-14 03:57:17 +00:00
ip6_var.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
ip6.h
ip6protosw.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
ipcomp6.h
ipcomp_core.c - fix typo in comments. 2003-10-08 18:26:08 +00:00
ipcomp_input.c - typo. found by markus@openbsd 2003-10-09 18:44:54 +00:00
ipcomp_output.c sync with the latest KAME (just a cosmetic change) 2003-04-28 08:21:57 +00:00
ipcomp.h
ipsec6.h nuke unused functions. 2004-02-16 17:02:44 +00:00
ipsec.c correct function name in comment. 2004-02-16 18:07:53 +00:00
ipsec.h nuke unused functions. 2004-02-16 17:02:44 +00:00
mld6_var.h rename MLD6_* to MLD_*. 2003-10-31 16:07:15 +00:00
mld6.c Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
nd6_nbr.c ifp has the same value as rt->rti_ifp so remove the dependency 2004-04-19 08:02:52 +00:00
nd6_rtr.c Replace Bcopy/Bzero with 'the real thing' as in the rest of the file. 2004-04-18 11:45:28 +00:00
nd6.c fix the change of interface in nd6_storelladdr for multicast 2004-04-26 20:31:46 +00:00
nd6.h use arc4random. 2003-10-31 16:06:05 +00:00
pim6_var.h
pim6.h
raw_ip6.c Commit a first pass at in6pcb and pcbinfo locking for IPv6, 2004-07-27 23:44:03 +00:00
raw_ip6.h
README
route6.c hide m_tag, again. 2003-10-29 12:49:12 +00:00
scope6_var.h - add dom_if{attach,detach} framework. 2003-10-17 15:46:31 +00:00
scope6.c protect sid_default and sid. 2003-10-22 15:13:36 +00:00
tcp6_var.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
udp6_output.c Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00
udp6_usrreq.c Commit a first pass at in6pcb and pcbinfo locking for IPv6, 2004-07-27 23:44:03 +00:00
udp6_var.h Remove advertising clause from University of California Regent's 2004-04-07 20:46:16 +00:00

README 

a note to committers about KAME tree
$FreeBSD$
KAME project


FreeBSD IPv6/IPsec tree is from KAMEproject (http://www.kame.net/).
To synchronize KAME tree and FreeBSD better today and in the future,
please understand the following:

- DO NOT MAKE COSTMETIC CHANGES.
  "Cosmetic changes" here includes tabify, untabify, removal of space at EOL,
  minor KNF items, and whatever adds more output lines on "diff freebsd kame".
  To make future synchronization easier. it is critical to preserve certain
  statements in the code.  Also, as KAME tree supports all 4 BSDs (Free, Open,
  Net, BSD/OS) in single shared tree, it is not always possible to backport
  FreeBSD changes into KAME tree.  So again, please do not make cosmetic
  changes.  Even if you think it a right thing, that will bite KAME guys badly
  during upgrade attempts, and prevent us from synchronizing two trees.
  (you don't usually make cosmetic changes against third-party code, do you?)

- REPORT CHANGES/BUGS TO KAME GUYS.
  It is not always possible for KAME guys to watch all the freebsd mailing
  list traffic, as the traffic is HUGE.  So if possible, please, inform
  kame guys of changes you made in IPv6/IPsec related portion.  Contact
  path would be snap-users@kame.net or KAME PR database on www.kame.net.
  (or to core@kame.net if it is necessary to make it confidential)

Thank you for your cooperation and have a happy IPv6 life!


Note: KAME-origin code is in the following locations.
The above notice applies to corresponding manpages too.
The list may not be complete.  If you see $KAME$ in the code, it is from
KAME distribution.  If you see some file that is IPv6/IPsec related, it is
highly possible that the file is from KAME distribution.

include/ifaddrs.h
lib/libc/net
lib/libc/net/getaddrinfo.c
lib/libc/net/getifaddrs.c
lib/libc/net/getnameinfo.c
lib/libc/net/ifname.c
lib/libc/net/ip6opt.c
lib/libc/net/map_v4v6.c
lib/libc/net/name6.c
lib/libftpio
lib/libipsec
sbin/ip6fw
sbin/ping6
sbin/rtsol
share/doc/IPv6
share/man/man4/ip6.4
share/man/man4/inet6.4
sys/crypto (except sys/crypto/rc4)
sys/kern/uipc_mbuf2.c
sys/net/if_faith.[ch]
sys/net/if_gif.[ch]
sys/net/if_stf.[ch]
sys/net/pfkeyv2.h
sys/netinet/icmp6.h
sys/netinet/in_gif.[ch]
sys/netinet/ip6.h
sys/netinet/ip_encap.[ch]
sys/netinet6
sys/netkey
usr.sbin/faithd
usr.sbin/gifconfig
usr.sbin/ifmcstat
usr.sbin/mld6query
usr.sbin/ndp
usr.sbin/pim6dd
usr.sbin/pim6sd
usr.sbin/prefix
usr.sbin/rip6query
usr.sbin/route6d
usr.sbin/rrenumd
usr.sbin/rtadvd
usr.sbin/rtsold
usr.sbin/scope6config
usr.sbin/setkey
usr.sbin/traceroute6