Index | Thread | Search

From:
Alexander Bluhm <bluhm@openbsd.org>
Subject:
Re: Remove net.inet6.ip6.use_deprecated knob.
To:
tech <tech@openbsd.org>
Date:
Mon, 15 Sep 2025 18:38:30 +0200

Download raw body.

Thread 
On Mon, Sep 15, 2025 at 12:35:28PM +0200, Florian Obser wrote:
> There is no good reason to not use the default of using deprecated
> addresses. Furthermore, it confused netinet/tcp_input.c, which followed
> an older RFC. RFC 4862 5.5.4 has:
> 
>    IP and higher layers (e.g., TCP, UDP) MUST continue to accept and
>    process datagrams destined to a deprecated address as normal since a
>    deprecated address is still a valid address for the interface.
> 
> As for the knob itself:
>    An implementation MAY prevent any new communication from using a
>    deprecated address, but system management MUST have the ability to
>    disable such a facility, and the facility MUST be disabled by
>    default.
> 
> OK?

OK bluhm@

> diff --git lib/libc/sys/sysctl.2 lib/libc/sys/sysctl.2
> index ef16ab52ab3..bd31f3aa0f4 100644
> --- lib/libc/sys/sysctl.2
> +++ lib/libc/sys/sysctl.2
> @@ -1859,7 +1859,6 @@ The currently defined protocols and names are:
>  .It ip6 Ta multipath Ta integer Ta yes
>  .It ip6 Ta neighborgcthresh Ta integer Ta yes
>  .It ip6 Ta redirect Ta integer Ta yes
> -.It ip6 Ta use_deprecated Ta integer Ta yes
>  .El
>  .Pp
>  The variables are as follows:
> @@ -2028,10 +2027,6 @@ The default value is 2048.
>  Returns 1 when ICMPv6 redirects may be sent by the node.
>  This option is ignored unless the node is routing IP packets,
>  and should normally be enabled on all systems.
> -.Pp
> -.It Li ip6.use_deprecated Pq Va net.inet6.ip6.use_deprecated
> -This variable controls the use of deprecated addresses, specified in
> -RFC 4862 5.5.4.
>  .El
>  .Pp
>  We reuse
> diff --git sys/netinet/tcp_input.c sys/netinet/tcp_input.c
> index 3bdd57208d1..bd61054df4b 100644
> --- sys/netinet/tcp_input.c
> +++ sys/netinet/tcp_input.c
> @@ -817,60 +817,6 @@ findpcb:
>  				/*
>  				 * Received a SYN.
>  				 */
> -#ifdef INET6
> -				/*
> -				 * If deprecated address is forbidden, we do
> -				 * not accept SYN to deprecated interface
> -				 * address to prevent any new inbound
> -				 * connection from getting established.
> -				 * When we do not accept SYN, we send a TCP
> -				 * RST, with deprecated source address (instead
> -				 * of dropping it).  We compromise it as it is
> -				 * much better for peer to send a RST, and
> -				 * RST will be the final packet for the
> -				 * exchange.
> -				 *
> -				 * If we do not forbid deprecated addresses, we
> -				 * accept the SYN packet.  RFC2462 does not
> -				 * suggest dropping SYN in this case.
> -				 * If we decipher RFC2462 5.5.4, it says like
> -				 * this:
> -				 * 1. use of deprecated addr with existing
> -				 *    communication is okay - "SHOULD continue
> -				 *    to be used"
> -				 * 2. use of it with new communication:
> -				 *   (2a) "SHOULD NOT be used if alternate
> -				 *        address with sufficient scope is
> -				 *        available"
> -				 *   (2b) nothing mentioned otherwise.
> -				 * Here we fall into (2b) case as we have no
> -				 * choice in our source address selection - we
> -				 * must obey the peer.
> -				 *
> -				 * The wording in RFC2462 is confusing, and
> -				 * there are multiple description text for
> -				 * deprecated address handling - worse, they
> -				 * are not exactly the same.  I believe 5.5.4
> -				 * is the best one, so we follow 5.5.4.
> -				 */
> -				if (ip6 &&
> -				    !atomic_load_int(&ip6_use_deprecated)) {
> -					struct in6_ifaddr *ia6;
> -					struct ifnet *ifp =
> -					    if_get(m->m_pkthdr.ph_ifidx);
> -
> -					if (ifp &&
> -					    (ia6 = in6ifa_ifpwithaddr(ifp,
> -					    &ip6->ip6_dst)) &&
> -					    (ia6->ia6_flags &
> -					    IN6_IFF_DEPRECATED)) {
> -						tp = NULL;
> -						if_put(ifp);
> -						goto dropwithreset;
> -					}
> -					if_put(ifp);
> -				}
> -#endif
>  
>  				/*
>  				 * LISTEN socket received a SYN
> diff --git sys/netinet6/in6.c sys/netinet6/in6.c
> index a0d272e93a8..f1b435a53cd 100644
> --- sys/netinet6/in6.c
> +++ sys/netinet6/in6.c
> @@ -1423,13 +1423,6 @@ in6_ifawithscope(struct ifnet *oifp, const struct in6_addr *dst, u_int rdomain,
>  
>  			/* Rule 3: Avoid deprecated addresses. */
>  			if (ifatoia6(ifa)->ia6_flags & IN6_IFF_DEPRECATED) {
> -				/*
> -				 * Ignore any deprecated addresses if
> -				 * specified by configuration.
> -				 */
> -				if (!atomic_load_int(&ip6_use_deprecated))
> -					continue;
> -
>  				/*
>  				 * If we have already found a non-deprecated
>  				 * candidate, just ignore deprecated addresses.
> diff --git sys/netinet6/in6.h sys/netinet6/in6.h
> index e9a853262d9..b3b7c28fc04 100644
> --- sys/netinet6/in6.h
> +++ sys/netinet6/in6.h
> @@ -584,7 +584,6 @@ ifatoia6(struct ifaddr *ifa)
>  #define IPV6CTL_DAD_COUNT	16
>  #define IPV6CTL_AUTO_FLOWLABEL	17
>  #define IPV6CTL_DEFMCASTHLIM	18
> -#define IPV6CTL_USE_DEPRECATED	21	/* use deprecated addr (RFC2462 5.5.4) */
>  /* 24 to 40: reserved */
>  #define IPV6CTL_MAXFRAGS	41	/* max fragments */
>  #define IPV6CTL_MFORWARDING	42
> @@ -624,7 +623,7 @@ ifatoia6(struct ifaddr *ifa)
>  	{ "defmcasthlim", CTLTYPE_INT }, \
>  	{ 0, 0 }, \
>  	{ 0, 0 }, \
> -	{ "use_deprecated", CTLTYPE_INT }, \
> +	{ 0, 0 }, \
>  	{ 0, 0 }, \
>  	{ 0, 0 }, \
>  	{ 0, 0 }, \
> diff --git sys/netinet6/in6_proto.c sys/netinet6/in6_proto.c
> index 08ce551c1fa..cf78a56d460 100644
> --- sys/netinet6/in6_proto.c
> +++ sys/netinet6/in6_proto.c
> @@ -362,7 +362,6 @@ int	ip6_hdrnestlimit = 10;	/* [a] appropriate? */
>  int	ip6_dad_count = 1;	/* [a] DupAddrDetectionTransmits */
>  int	ip6_dad_pending;	/* number of currently running DADs */
>  int	ip6_auto_flowlabel = 1;	/* [a] */
> -int	ip6_use_deprecated = 1;	/* [a] allow deprecated addr (RFC2462 5.5.4) */
>  int	ip6_mcast_pmtu = 0;	/* [a] enable pMTU discovery for multicast? */
>  int	ip6_neighborgcthresh = 2048; /* [a] Threshold # of NDP entries for GC */
>  int	ip6_maxdynroutes = 4096; /* [a] Max # of routes created via redirect */
> diff --git sys/netinet6/ip6_input.c sys/netinet6/ip6_input.c
> index 92a8d3e4cba..f7d89316c8d 100644
> --- sys/netinet6/ip6_input.c
> +++ sys/netinet6/ip6_input.c
> @@ -1452,7 +1452,6 @@ const struct sysctl_bounded_args ipv6ctl_vars[] = {
>  	{ IPV6CTL_DAD_COUNT, &ip6_dad_count, 0, 10 },
>  	{ IPV6CTL_AUTO_FLOWLABEL, &ip6_auto_flowlabel, 0, 1 },
>  	{ IPV6CTL_DEFMCASTHLIM, &ip6_defmcasthlim, 0, 255 },
> -	{ IPV6CTL_USE_DEPRECATED, &ip6_use_deprecated, 0, 1 },
>  	{ IPV6CTL_MAXFRAGS, &ip6_maxfrags, 0, 1000 },
>  	{ IPV6CTL_MFORWARDING, &ip6_mforwarding, 0, 1 },
>  	{ IPV6CTL_MCAST_PMTU, &ip6_mcast_pmtu, 0, 1 },
> diff --git sys/netinet6/ip6_var.h sys/netinet6/ip6_var.h
> index a885afcd0c0..aff1126c9ee 100644
> --- sys/netinet6/ip6_var.h
> +++ sys/netinet6/ip6_var.h
> @@ -281,7 +281,6 @@ extern int	ip6_forwarding;		/* act as router? */
>  extern int	ip6_mforwarding;	/* act as multicast router? */
>  extern int	ip6_multipath;		/* use multipath routes */
>  extern int	ip6_sendredirect;	/* send ICMPv6 redirect? */
> -extern int	ip6_use_deprecated;	/* allow deprecated addr as source */
>  extern int	ip6_mcast_pmtu;		/* path MTU discovery for multicast */
>  extern int	ip6_neighborgcthresh; /* Threshold # of NDP entries for GC */
>  extern int	ip6_maxdynroutes; /* Max # of routes created via redirect */
> 
> -- 
> In my defence, I have been left unsupervised.