netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

IPv6: behavior of the all/per device forwarding controls in /proc/sys/n

from [Peter Bieringer] [Permanent Link][Original]
To: netdev@xxxxxxxxxxx
Subject: IPv6: behavior of the all/per device forwarding controls in /proc/sys/net/ipv6
From: Peter Bieringer <pb@xxxxxxxxxxxx>
Date: Tue, 17 Apr 2001 19:23:15 +0200
Sender: owner-netdev@xxxxxxxxxxx 
Hi,

I have a question regarding the use of the forwarding switches in the IPv6 part of /proc

Scenario:
Internal host --- native IPv6 --- (eth0)local tunnel server(sit0) --- tunneled IPv6 --- 6bone

On my "local tunnel server" (2.2.19pre16) are currently following switches available:
# find /proc/sys/net/ipv6 -name 'forward*'
/proc/sys/net/ipv6/conf/sit1/forwarding
/proc/sys/net/ipv6/conf/sit0/forwarding
/proc/sys/net/ipv6/conf/eth1/forwarding
/proc/sys/net/ipv6/conf/eth0/forwarding
/proc/sys/net/ipv6/conf/lo/forwarding
/proc/sys/net/ipv6/conf/default/forwarding
/proc/sys/net/ipv6/conf/all/forwarding


IPv6 routing from "internal host" to 6bone only works if following forwarding switches are set like
/proc/sys/net/ipv6/conf/eth0/forwarding = 1
/proc/sys/net/ipv6/conf/sit0/forwarding = 1
/proc/sys/net/ipv6/conf/all/forwarding = 1

But if I set "/proc/sys/net/ipv6/conf/all/forwarding" to "1", all dedicated device switches are also set to "1". This is the same behavior like in IPv4, but unlike in IPv4, if "/proc/sys/net/ipv6/conf/all/forwarding" = 0, IPv6 routing is generally disabled.

Therefore
/proc/sys/net/ipv6/conf/eth0/forwarding = 1
/proc/sys/net/ipv6/conf/sit0/forwarding = 1
/proc/sys/net/ipv6/conf/all/forwarding  = 0
doesn't route anything.

That's bad for security issues, because if someone will only enable dedicated devices for IPv6 routing, he must first globally enable IPv6 routing with
/proc/sys/net/ipv6/conf/all/forwarding = 1

and then afterwards for each *do not IPv6 routing device* disable forwarding like
/proc/sys/net/ipv6/conf/eth1/forwarding = 0


Therefore 2 questions:
a) is this a bug or a feature
b) why is it different to IPv4 where routing still works, if
/proc/sys/net/ipv4/ip_forward = /proc/sys/net/ipv4/conf/all/forwarding = 0
/proc/sys/net/ipv4/conf/eth0/forwarding = 1
/proc/sys/net/ipv4/conf/ppp0/forwarding = 1
(Tested with masquerading, which take also use of such switches)


My opinion is that IPv6 routing should only depends on the "per device" switches and "all" only toggles all "per device" switches in one direction, but do not switch routing capabilities - this is better for security issues.

TIA,
        Peter


[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • IPv6: behavior of the all/per device forwarding controls in /proc/sys/net/ipv6, Peter Bieringer <=
Previous by Date:  mroute.h patch, jamal
Next by Date:  frag id byte order (PATCH), Imran . Patel
Previous by Thread:  mroute.h patch, jamal
Next by Thread:  frag id byte order (PATCH), Imran . Patel
Indexes:  [Date] [Thread] [Top] [All Lists]