[RFC] IPv6: don't forward unspecified frames

[RFC] IPv6: don't forward unspecified frames

[Stephen Hemminger]

This showed up during UNH IPv6 conformance tests. It appears kernel
incorrectly forwards packets with unspecified source address.

This looks like the place to fix this, but still not sure and have
no easy way to test it since ping6 won't send packet with unspecified
source address.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

--- a/net/ipv6/ip6_output.c	2010-02-19 15:05:51.332330381 -0800
+++ b/net/ipv6/ip6_output.c	2010-02-19 15:10:28.400092910 -0800
@@ -436,6 +436,17 @@ int ip6_forward(struct sk_buff *skb)
 	}
 
 	/*
+	 * RFC4291 2.5.2
+	 *
+	 * An IPv6 packet with a source address of unspecified
+	 * must never be forwarded by an IPv6 router.
+	 */
+	if (ipv6_addr_any(&hdr->saddr)) {
+		IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTDISCARDS);
+		goto drop;
+	}
+
+	/*
 	 *	check and decrement ttl
 	 */
 	if (hdr->hop_limit <= 1) {

Re: [RFC] IPv6: don't forward unspecified frames

[Shan Wei]

Stephen Hemminger wrote, at 02/23/2010 09:31 AM:
> This showed up during UNH IPv6 conformance tests. It appears kernel
> incorrectly forwards packets with unspecified source address.

Which case? Is it about spec.p2#18 of IPv6 Ready Logo Phase 2?
I don't see the phenomenon from spec.p2#18 case.

> This looks like the place to fix this, but still not sure and have
> no easy way to test it since ping6 won't send packet with unspecified
> source address.
> 
> Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

Kernel is coincident with the spec, see following commit.


commit f81b2e7d8cf8c6a52b7a5224c3b89cee5aeb6811
Author: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Date:   Wed Jun 25 16:55:26 2008 +0900

    ipv6: Do not forward packets with the unspecified source address.
    
    RFC4291 2.5.2.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index fd7cd1b..871bdec 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -498,7 +498,8 @@ int ip6_forward(struct sk_buff *skb)
                int addrtype = ipv6_addr_type(&hdr->saddr);
 
                /* This check is security critical. */
-               if (addrtype & (IPV6_ADDR_MULTICAST|IPV6_ADDR_LOOPBACK))
+               if (addrtype == IPV6_ADDR_ANY ||
+                   addrtype & (IPV6_ADDR_MULTICAST | IPV6_ADDR_LOOPBACK))
                        goto error;
                if (addrtype & IPV6_ADDR_LINKLOCAL) {
                        icmpv6_send(skb, ICMPV6_DEST_UNREACH,

-- 
Best Regards
-----
Shan Wei

Re: [RFC] IPv6: don't forward unspecified frames

[Stephen Hemminger]

On Tue, 23 Feb 2010 13:11:33 +0800
Shan Wei <shanwei@cn.fujitsu.com> wrote:

> Stephen Hemminger wrote, at 02/23/2010 09:31 AM:
> > This showed up during UNH IPv6 conformance tests. It appears kernel
> > incorrectly forwards packets with unspecified source address.
> 
> Which case? Is it about spec.p2#18 of IPv6 Ready Logo Phase 2?
> I don't see the phenomenon from spec.p2#18 case.

The kernel is 2.6.31 and it has that code section in ip6_forward.
I am inprocess of trying to reproduce the result.

The test case in question is V6LC.1.1.10C


 IP Forwarding – Source and Destination Address – Intermediate Node (Routers Only)
 Purpose: Verify that a node properly forwards the ICMPv6 Echo Requests.
 Comments on Test Procedure
A. Request sent to Global Unicast address: TN2 transmits an ICMPv6 Echo Request to TN1’s Global unicast address with a first hop through the RUT. The source address is TN2’s Global address.
B. Request sent to Global Unicast address (prefix end in zero-valued fields): TN2 transmits an ICMPv6 Echo Request to TN1’s Global unicast address (prefix 8000:0000::/64) with a first hop through the RUT. The source address is TN2’s Global address.
>>> C. Request sent from unspecified address: TN2 transmits an ICMPv6 Echo Request to TN1 with a first hop through the RUT. The source address is the unspecified address (0:0:0:0:0:0:0:0).
D. Request sent to Lookback address: TN2 transmits an ICMPv6 Echo Request to the Lookback address (0:0:0:0:0:0:0:1) with a first hop through the RUT. The source address is TN2’s Global address.
E. Request sent from Link Local address: TN2 transmits an ICMPv6 Echo Request to TN1 with a first hop through the RUT. The source address is TN2’s Link Local address.
F. Request sent to Link Local address: TN2 transmits an ICMPv6 Echo Request to TN1’s Link Local address with a first hop through the RUT. The source address is TN2’s Global address.
G. Request sent to Site-Local address: TN2 transmits an ICMPv6 Echo Request to TN1’s Site-local address with a first hop through the RUT. The source address is TN2’s Global address.
H. Request sent to Global Scope multicast address: Configure multicast routing on the RUT. TN1 is a Lis-tener for the multicast group FF1E::1:2. TN2 transmits an ICMPv6 Echo Request to TN1’s Global Scope multicast address (FF1E::1:2) with a first hop through the RUT. The source address is TN2’s Global ad-dress.
I. Request sent to Link-local Scope multicast address: Configure multicast routing on the RUT. TN1 is a Lis-tener for the multicast group FF12::1:2. TN2 transmits an ICMPv6 Echo Request to TN1’s Link-Local Scope multicast address (FF12::1:2) with a first hop through the RUT. The source address is TN2’s Global address.
J. Request sent to Multicast address (Reserved Value = 0):Configure multicast routing on the RUT. TN1 is a Listener for the multicast group FF10::1:2. TN2 transmits an ICMPv6 Echo Request to multicast address with a reserved field set to zero (FF10::1:2) with a first hop through the RUT. The source address is TN2’s Global address.
K. Request sent to Multicast address (Reserved Value = F): Configure multicast routing on the RUT. TN1 is a Listener for the multicast group FF1F::1:2. 29. TN2 transmits an ICMPv6 Echo Request to TN1 multicast address with a reserved field set to zero (FF1F::1:2) with a first hop through the RUT. The source address is TN2’s Global address.

 Comments on Test Results
A. The RUT must forward the Echo Request from TN2 to TN1 with a first hop through the TR1.
B. The RUT must forward the Echo Request from TN2 to TN1 with a first hop through the TR1.
>>>C. The RUT forwarded the Echo Request from TN2.
According to RFC 4291 Section 2.5.2: “An IPv6 packet with a source address of unspecified must never be forwarded by an IPv6 router.”
Therefore the RUT should not have forwarded the Echo Request from TN2.
D. The RUT must not forward the Echo Request from TN2.
E. The RUT must not forward the Echo Request from TN2.
F. The RUT must not forward the Echo Request from TN2.
G. The RUT must forward the Echo Request from TN2 to TR1.
H. The RUT must forward the Echo Request from TN2 to TN1 with a first hop through TR1.
I. The RUT must not forward the Echo Request from TN2.
J. The RUT must not forward the Echo Request from TN2.
K. The RUT must forward the Echo Request from TN2 to TN1 with a first hop through the RUT.

Re: [RFC] IPv6: don't forward unspecified frames

[Stephen Hemminger]

On Tue, 23 Feb 2010 13:11:33 +0800
Shan Wei <shanwei@cn.fujitsu.com> wrote:

> Stephen Hemminger wrote, at 02/23/2010 09:31 AM:
> > This showed up during UNH IPv6 conformance tests. It appears kernel
> > incorrectly forwards packets with unspecified source address.
> 
> Which case? Is it about spec.p2#18 of IPv6 Ready Logo Phase 2?
> I don't see the phenomenon from spec.p2#18 case.
> 
> > This looks like the place to fix this, but still not sure and have
> > no easy way to test it since ping6 won't send packet with unspecified
> > source address.
> > 
> > Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
> 
> Kernel is coincident with the spec, see following commit.
> 

Never mind.

I could not reproduce the problem, with a program that sends
ICMPV6 echo through AF_PACKET.

UNH reran the test, and the kernel is fine.
Looks like a tester problem.