FreeBSD Errata Notices
2007-Feb-28 18:49 UTC
[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-07:02.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================FreeBSD-EN-07:02.net Errata Notice The FreeBSD Project Topic: IPv6 over Point-to-Point gif(4) tunnels Category: core Module: sys_netinet6 Announced: 2007-02-28 Credits: Bruce A. Mah Affects: FreeBSD 6.2-RELEASE Corrected: 2007-02-08 22:52:56 UTC (RELENG_6, 6.2-STABLE) 2007-02-28 18:24:37 UTC (RELENG_6_2, 6.2-RELEASE-p2) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background The FreeBSD kernel provides basic networking services, including (among other protocols) the IPv6 network protocol stack. The gif(4) tunnel driver provides a generic tunnelling interface, which is commonly used to carry IPv6 packets across an IPv4 internetwork. II. Problem Description FreeBSD 6.2-RELEASE contains a regression in the behavior of IPv6 over gif(4) tunnels configured as point-to-point interfaces (in other words, gif(4) interfaces with an explicitly-configured destination address and a 128-bit prefix length). When such an interface is configured, a route to the destination address must be added implicitly by the kernel to allow packets to traverse the tunnel properly. FreeBSD 6.2-RELEASE does not do this. III. Impact In some cases, it may be impossible for a host to send IPv6 traffic over a gif(4) tunnel interface due to the lack of an appropriate routing table entry. IV. Workaround One workaround is to add a route to the destination address explicitly using the route(8) command, as in the following example: # route add -host -inet6 ADDRESS -interface GIF -nostatic -llinfo In the command line above, ADDRESS and GIF should be replaced by the destination IPv6 address and the interface name of the gif(4) tunnel, respectively. In some cases, the host route to the destination may be added implicitly as a side-effect of receiving inbound packets over the tunnel. V. Solution Perform one of the following: 1) Upgrade your affected system to 6-STABLE or to the RELENG_6_2 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/EN-07:02/net.patch # fetch http://security.FreeBSD.org/patches/EN-07:02/net.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ---------------------------------------------------------------------------- RELENG_6_2 src/UPDATING 1.416.2.29.2.5 src/sys/conf/newvers.sh 1.69.2.13.2.5 src/sys/netinet6/nd6.c 1.48.2.15.2.1 - ---------------------------------------------------------------------------- The latest revision of this Errata Notice is available at http://security.FreeBSD.org/advisories/FreeBSD-EN-07:02.net.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFF5ct4FdaIBMps37IRAjN0AJ9llRTF/ccXBJDRqJeFDocSkIF5lQCdF2ww y+4KLUVBRVLLQz0AJuKygfc=x04b -----END PGP SIGNATURE-----