Index | Thread | Search

From:
Florian Obser <florian@openbsd.org>
Subject:
Remove net.inet6.ip6.use_deprecated knob.
To:
tech <tech@openbsd.org>
Date:
Mon, 15 Sep 2025 12:35:28 +0200

Download raw body.

Thread 
There is no good reason to not use the default of using deprecated
addresses. Furthermore, it confused netinet/tcp_input.c, which followed
an older RFC. RFC 4862 5.5.4 has:

   IP and higher layers (e.g., TCP, UDP) MUST continue to accept and
   process datagrams destined to a deprecated address as normal since a
   deprecated address is still a valid address for the interface.

As for the knob itself:
   An implementation MAY prevent any new communication from using a
   deprecated address, but system management MUST have the ability to
   disable such a facility, and the facility MUST be disabled by
   default.

OK?

diff --git lib/libc/sys/sysctl.2 lib/libc/sys/sysctl.2
index ef16ab52ab3..bd31f3aa0f4 100644
--- lib/libc/sys/sysctl.2
+++ lib/libc/sys/sysctl.2
@@ -1859,7 +1859,6 @@ The currently defined protocols and names are:
 .It ip6 Ta multipath Ta integer Ta yes
 .It ip6 Ta neighborgcthresh Ta integer Ta yes
 .It ip6 Ta redirect Ta integer Ta yes
-.It ip6 Ta use_deprecated Ta integer Ta yes
 .El
 .Pp
 The variables are as follows:
@@ -2028,10 +2027,6 @@ The default value is 2048.
 Returns 1 when ICMPv6 redirects may be sent by the node.
 This option is ignored unless the node is routing IP packets,
 and should normally be enabled on all systems.
-.Pp
-.It Li ip6.use_deprecated Pq Va net.inet6.ip6.use_deprecated
-This variable controls the use of deprecated addresses, specified in
-RFC 4862 5.5.4.
 .El
 .Pp
 We reuse
diff --git sys/netinet/tcp_input.c sys/netinet/tcp_input.c
index 3bdd57208d1..bd61054df4b 100644
--- sys/netinet/tcp_input.c
+++ sys/netinet/tcp_input.c
@@ -817,60 +817,6 @@ findpcb:
 				/*
 				 * Received a SYN.
 				 */
-#ifdef INET6
-				/*
-				 * If deprecated address is forbidden, we do
-				 * not accept SYN to deprecated interface
-				 * address to prevent any new inbound
-				 * connection from getting established.
-				 * When we do not accept SYN, we send a TCP
-				 * RST, with deprecated source address (instead
-				 * of dropping it).  We compromise it as it is
-				 * much better for peer to send a RST, and
-				 * RST will be the final packet for the
-				 * exchange.
-				 *
-				 * If we do not forbid deprecated addresses, we
-				 * accept the SYN packet.  RFC2462 does not
-				 * suggest dropping SYN in this case.
-				 * If we decipher RFC2462 5.5.4, it says like
-				 * this:
-				 * 1. use of deprecated addr with existing
-				 *    communication is okay - "SHOULD continue
-				 *    to be used"
-				 * 2. use of it with new communication:
-				 *   (2a) "SHOULD NOT be used if alternate
-				 *        address with sufficient scope is
-				 *        available"
-				 *   (2b) nothing mentioned otherwise.
-				 * Here we fall into (2b) case as we have no
-				 * choice in our source address selection - we
-				 * must obey the peer.
-				 *
-				 * The wording in RFC2462 is confusing, and
-				 * there are multiple description text for
-				 * deprecated address handling - worse, they
-				 * are not exactly the same.  I believe 5.5.4
-				 * is the best one, so we follow 5.5.4.
-				 */
-				if (ip6 &&
-				    !atomic_load_int(&ip6_use_deprecated)) {
-					struct in6_ifaddr *ia6;
-					struct ifnet *ifp =
-					    if_get(m->m_pkthdr.ph_ifidx);
-
-					if (ifp &&
-					    (ia6 = in6ifa_ifpwithaddr(ifp,
-					    &ip6->ip6_dst)) &&
-					    (ia6->ia6_flags &
-					    IN6_IFF_DEPRECATED)) {
-						tp = NULL;
-						if_put(ifp);
-						goto dropwithreset;
-					}
-					if_put(ifp);
-				}
-#endif
 
 				/*
 				 * LISTEN socket received a SYN
diff --git sys/netinet6/in6.c sys/netinet6/in6.c
index a0d272e93a8..f1b435a53cd 100644
--- sys/netinet6/in6.c
+++ sys/netinet6/in6.c
@@ -1423,13 +1423,6 @@ in6_ifawithscope(struct ifnet *oifp, const struct in6_addr *dst, u_int rdomain,
 
 			/* Rule 3: Avoid deprecated addresses. */
 			if (ifatoia6(ifa)->ia6_flags & IN6_IFF_DEPRECATED) {
-				/*
-				 * Ignore any deprecated addresses if
-				 * specified by configuration.
-				 */
-				if (!atomic_load_int(&ip6_use_deprecated))
-					continue;
-
 				/*
 				 * If we have already found a non-deprecated
 				 * candidate, just ignore deprecated addresses.
diff --git sys/netinet6/in6.h sys/netinet6/in6.h
index e9a853262d9..b3b7c28fc04 100644
--- sys/netinet6/in6.h
+++ sys/netinet6/in6.h
@@ -584,7 +584,6 @@ ifatoia6(struct ifaddr *ifa)
 #define IPV6CTL_DAD_COUNT	16
 #define IPV6CTL_AUTO_FLOWLABEL	17
 #define IPV6CTL_DEFMCASTHLIM	18
-#define IPV6CTL_USE_DEPRECATED	21	/* use deprecated addr (RFC2462 5.5.4) */
 /* 24 to 40: reserved */
 #define IPV6CTL_MAXFRAGS	41	/* max fragments */
 #define IPV6CTL_MFORWARDING	42
@@ -624,7 +623,7 @@ ifatoia6(struct ifaddr *ifa)
 	{ "defmcasthlim", CTLTYPE_INT }, \
 	{ 0, 0 }, \
 	{ 0, 0 }, \
-	{ "use_deprecated", CTLTYPE_INT }, \
+	{ 0, 0 }, \
 	{ 0, 0 }, \
 	{ 0, 0 }, \
 	{ 0, 0 }, \
diff --git sys/netinet6/in6_proto.c sys/netinet6/in6_proto.c
index 08ce551c1fa..cf78a56d460 100644
--- sys/netinet6/in6_proto.c
+++ sys/netinet6/in6_proto.c
@@ -362,7 +362,6 @@ int	ip6_hdrnestlimit = 10;	/* [a] appropriate? */
 int	ip6_dad_count = 1;	/* [a] DupAddrDetectionTransmits */
 int	ip6_dad_pending;	/* number of currently running DADs */
 int	ip6_auto_flowlabel = 1;	/* [a] */
-int	ip6_use_deprecated = 1;	/* [a] allow deprecated addr (RFC2462 5.5.4) */
 int	ip6_mcast_pmtu = 0;	/* [a] enable pMTU discovery for multicast? */
 int	ip6_neighborgcthresh = 2048; /* [a] Threshold # of NDP entries for GC */
 int	ip6_maxdynroutes = 4096; /* [a] Max # of routes created via redirect */
diff --git sys/netinet6/ip6_input.c sys/netinet6/ip6_input.c
index 92a8d3e4cba..f7d89316c8d 100644
--- sys/netinet6/ip6_input.c
+++ sys/netinet6/ip6_input.c
@@ -1452,7 +1452,6 @@ const struct sysctl_bounded_args ipv6ctl_vars[] = {
 	{ IPV6CTL_DAD_COUNT, &ip6_dad_count, 0, 10 },
 	{ IPV6CTL_AUTO_FLOWLABEL, &ip6_auto_flowlabel, 0, 1 },
 	{ IPV6CTL_DEFMCASTHLIM, &ip6_defmcasthlim, 0, 255 },
-	{ IPV6CTL_USE_DEPRECATED, &ip6_use_deprecated, 0, 1 },
 	{ IPV6CTL_MAXFRAGS, &ip6_maxfrags, 0, 1000 },
 	{ IPV6CTL_MFORWARDING, &ip6_mforwarding, 0, 1 },
 	{ IPV6CTL_MCAST_PMTU, &ip6_mcast_pmtu, 0, 1 },
diff --git sys/netinet6/ip6_var.h sys/netinet6/ip6_var.h
index a885afcd0c0..aff1126c9ee 100644
--- sys/netinet6/ip6_var.h
+++ sys/netinet6/ip6_var.h
@@ -281,7 +281,6 @@ extern int	ip6_forwarding;		/* act as router? */
 extern int	ip6_mforwarding;	/* act as multicast router? */
 extern int	ip6_multipath;		/* use multipath routes */
 extern int	ip6_sendredirect;	/* send ICMPv6 redirect? */
-extern int	ip6_use_deprecated;	/* allow deprecated addr as source */
 extern int	ip6_mcast_pmtu;		/* path MTU discovery for multicast */
 extern int	ip6_neighborgcthresh; /* Threshold # of NDP entries for GC */
 extern int	ip6_maxdynroutes; /* Max # of routes created via redirect */

-- 
In my defence, I have been left unsupervised.