From: Alexander Bluhm Subject: Re: Remove net.inet6.ip6.use_deprecated knob. To: tech Date: Mon, 15 Sep 2025 18:38:30 +0200 On Mon, Sep 15, 2025 at 12:35:28PM +0200, Florian Obser wrote: > There is no good reason to not use the default of using deprecated > addresses. Furthermore, it confused netinet/tcp_input.c, which followed > an older RFC. RFC 4862 5.5.4 has: > > IP and higher layers (e.g., TCP, UDP) MUST continue to accept and > process datagrams destined to a deprecated address as normal since a > deprecated address is still a valid address for the interface. > > As for the knob itself: > An implementation MAY prevent any new communication from using a > deprecated address, but system management MUST have the ability to > disable such a facility, and the facility MUST be disabled by > default. > > OK? OK bluhm@ > diff --git lib/libc/sys/sysctl.2 lib/libc/sys/sysctl.2 > index ef16ab52ab3..bd31f3aa0f4 100644 > --- lib/libc/sys/sysctl.2 > +++ lib/libc/sys/sysctl.2 > @@ -1859,7 +1859,6 @@ The currently defined protocols and names are: > .It ip6 Ta multipath Ta integer Ta yes > .It ip6 Ta neighborgcthresh Ta integer Ta yes > .It ip6 Ta redirect Ta integer Ta yes > -.It ip6 Ta use_deprecated Ta integer Ta yes > .El > .Pp > The variables are as follows: > @@ -2028,10 +2027,6 @@ The default value is 2048. > Returns 1 when ICMPv6 redirects may be sent by the node. > This option is ignored unless the node is routing IP packets, > and should normally be enabled on all systems. > -.Pp > -.It Li ip6.use_deprecated Pq Va net.inet6.ip6.use_deprecated > -This variable controls the use of deprecated addresses, specified in > -RFC 4862 5.5.4. > .El > .Pp > We reuse > diff --git sys/netinet/tcp_input.c sys/netinet/tcp_input.c > index 3bdd57208d1..bd61054df4b 100644 > --- sys/netinet/tcp_input.c > +++ sys/netinet/tcp_input.c > @@ -817,60 +817,6 @@ findpcb: > /* > * Received a SYN. > */ > -#ifdef INET6 > - /* > - * If deprecated address is forbidden, we do > - * not accept SYN to deprecated interface > - * address to prevent any new inbound > - * connection from getting established. > - * When we do not accept SYN, we send a TCP > - * RST, with deprecated source address (instead > - * of dropping it). We compromise it as it is > - * much better for peer to send a RST, and > - * RST will be the final packet for the > - * exchange. > - * > - * If we do not forbid deprecated addresses, we > - * accept the SYN packet. RFC2462 does not > - * suggest dropping SYN in this case. > - * If we decipher RFC2462 5.5.4, it says like > - * this: > - * 1. use of deprecated addr with existing > - * communication is okay - "SHOULD continue > - * to be used" > - * 2. use of it with new communication: > - * (2a) "SHOULD NOT be used if alternate > - * address with sufficient scope is > - * available" > - * (2b) nothing mentioned otherwise. > - * Here we fall into (2b) case as we have no > - * choice in our source address selection - we > - * must obey the peer. > - * > - * The wording in RFC2462 is confusing, and > - * there are multiple description text for > - * deprecated address handling - worse, they > - * are not exactly the same. I believe 5.5.4 > - * is the best one, so we follow 5.5.4. > - */ > - if (ip6 && > - !atomic_load_int(&ip6_use_deprecated)) { > - struct in6_ifaddr *ia6; > - struct ifnet *ifp = > - if_get(m->m_pkthdr.ph_ifidx); > - > - if (ifp && > - (ia6 = in6ifa_ifpwithaddr(ifp, > - &ip6->ip6_dst)) && > - (ia6->ia6_flags & > - IN6_IFF_DEPRECATED)) { > - tp = NULL; > - if_put(ifp); > - goto dropwithreset; > - } > - if_put(ifp); > - } > -#endif > > /* > * LISTEN socket received a SYN > diff --git sys/netinet6/in6.c sys/netinet6/in6.c > index a0d272e93a8..f1b435a53cd 100644 > --- sys/netinet6/in6.c > +++ sys/netinet6/in6.c > @@ -1423,13 +1423,6 @@ in6_ifawithscope(struct ifnet *oifp, const struct in6_addr *dst, u_int rdomain, > > /* Rule 3: Avoid deprecated addresses. */ > if (ifatoia6(ifa)->ia6_flags & IN6_IFF_DEPRECATED) { > - /* > - * Ignore any deprecated addresses if > - * specified by configuration. > - */ > - if (!atomic_load_int(&ip6_use_deprecated)) > - continue; > - > /* > * If we have already found a non-deprecated > * candidate, just ignore deprecated addresses. > diff --git sys/netinet6/in6.h sys/netinet6/in6.h > index e9a853262d9..b3b7c28fc04 100644 > --- sys/netinet6/in6.h > +++ sys/netinet6/in6.h > @@ -584,7 +584,6 @@ ifatoia6(struct ifaddr *ifa) > #define IPV6CTL_DAD_COUNT 16 > #define IPV6CTL_AUTO_FLOWLABEL 17 > #define IPV6CTL_DEFMCASTHLIM 18 > -#define IPV6CTL_USE_DEPRECATED 21 /* use deprecated addr (RFC2462 5.5.4) */ > /* 24 to 40: reserved */ > #define IPV6CTL_MAXFRAGS 41 /* max fragments */ > #define IPV6CTL_MFORWARDING 42 > @@ -624,7 +623,7 @@ ifatoia6(struct ifaddr *ifa) > { "defmcasthlim", CTLTYPE_INT }, \ > { 0, 0 }, \ > { 0, 0 }, \ > - { "use_deprecated", CTLTYPE_INT }, \ > + { 0, 0 }, \ > { 0, 0 }, \ > { 0, 0 }, \ > { 0, 0 }, \ > diff --git sys/netinet6/in6_proto.c sys/netinet6/in6_proto.c > index 08ce551c1fa..cf78a56d460 100644 > --- sys/netinet6/in6_proto.c > +++ sys/netinet6/in6_proto.c > @@ -362,7 +362,6 @@ int ip6_hdrnestlimit = 10; /* [a] appropriate? */ > int ip6_dad_count = 1; /* [a] DupAddrDetectionTransmits */ > int ip6_dad_pending; /* number of currently running DADs */ > int ip6_auto_flowlabel = 1; /* [a] */ > -int ip6_use_deprecated = 1; /* [a] allow deprecated addr (RFC2462 5.5.4) */ > int ip6_mcast_pmtu = 0; /* [a] enable pMTU discovery for multicast? */ > int ip6_neighborgcthresh = 2048; /* [a] Threshold # of NDP entries for GC */ > int ip6_maxdynroutes = 4096; /* [a] Max # of routes created via redirect */ > diff --git sys/netinet6/ip6_input.c sys/netinet6/ip6_input.c > index 92a8d3e4cba..f7d89316c8d 100644 > --- sys/netinet6/ip6_input.c > +++ sys/netinet6/ip6_input.c > @@ -1452,7 +1452,6 @@ const struct sysctl_bounded_args ipv6ctl_vars[] = { > { IPV6CTL_DAD_COUNT, &ip6_dad_count, 0, 10 }, > { IPV6CTL_AUTO_FLOWLABEL, &ip6_auto_flowlabel, 0, 1 }, > { IPV6CTL_DEFMCASTHLIM, &ip6_defmcasthlim, 0, 255 }, > - { IPV6CTL_USE_DEPRECATED, &ip6_use_deprecated, 0, 1 }, > { IPV6CTL_MAXFRAGS, &ip6_maxfrags, 0, 1000 }, > { IPV6CTL_MFORWARDING, &ip6_mforwarding, 0, 1 }, > { IPV6CTL_MCAST_PMTU, &ip6_mcast_pmtu, 0, 1 }, > diff --git sys/netinet6/ip6_var.h sys/netinet6/ip6_var.h > index a885afcd0c0..aff1126c9ee 100644 > --- sys/netinet6/ip6_var.h > +++ sys/netinet6/ip6_var.h > @@ -281,7 +281,6 @@ extern int ip6_forwarding; /* act as router? */ > extern int ip6_mforwarding; /* act as multicast router? */ > extern int ip6_multipath; /* use multipath routes */ > extern int ip6_sendredirect; /* send ICMPv6 redirect? */ > -extern int ip6_use_deprecated; /* allow deprecated addr as source */ > extern int ip6_mcast_pmtu; /* path MTU discovery for multicast */ > extern int ip6_neighborgcthresh; /* Threshold # of NDP entries for GC */ > extern int ip6_maxdynroutes; /* Max # of routes created via redirect */ > > -- > In my defence, I have been left unsupervised.