off the top of my head;

- RFC3484 address selection
- working privacy addresses

Jonathan Kollasch

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

There are several things that were in KAME that have not been updated
to work in NetBSD-current - SCTP, DCCP and Mobile IP.

I have done some work on getting SCTP and Mobile IP to work.

Robert Swindells

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Unfortunately IPv6 stack was often done by copy-pasting the IPv4 code and
converting the it to use struct in6_addr with other necessary adjustments.
The result of this is: 1) massive code duplication 2) many duplicated
branches under #ifdef in TCP code. There are multiple IPv4 and IPv6 code
parts which could and should be merged. Few examples:

- Replace struct in_addr and struct in6_addr with a new structure and use
it to convert the code to be IP-version agnostic, thus remove many #ifdefs.
Possible approach: NPF has npf_addr_t and only the lower level primitives
separate v4 and v6 handling while the rest of the code is completely
IP-version agnostic. This has proven to be very successful approach.

- Merge IPv4 and IPv6 PCB interfaces into one (rpaulo-netinet-merge-pcb
branch was an attempt to do that in the past, see doc/BRANCHES).

- For something simpler - merge IPv4 and IPv6 reassembly, since they mostly
match (see ip_reass.c and frag6.c).

.. etc. The list can go on. This is a major work, though.

I don't know whether this is what you mean - indeed, I'm not certain
it's actually a fault in the v6 stack - but there's a v6-affecting
issue which has been bothering me for a while.

I have a machine with two interfaces (rtk0 and wm0 in my case - I don't
know whether that's relevant). I create a bridge and put them in the
bridge. I then configure both v4 and v6 on rtk0 and don't configure
anything on wm0 - all wm0 gets is "up".

A machine plugged into wm0 can then reach the v4 address just fine, but
fails when trying to reach the v6 address.

In my case, this is 4.0.1 amd64. I haven't tried it on anything else;
there _might_ be nothing to do here (possibly excepting my backporting
changes). But it sure looks to me like a bug; it certainly violates
the expectation that a bridge amounts to an in-machine network switch.

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Two IPsec tunnel related items - one a clear bug (also exists in Linux, FYI), the other a little more controversial.

Clear Bug:
Do source fragmentation BEFORE applying tunnel code. Right now, what happens, is all packets, regardless of size, are put through the IPsec code BEFORE having source fragmentation applied. So packet gets encapsulated, then split up, then at the other end of the tunnel, the packet is reassembled. If the endpoint of the tunnel is different from the ultimate destination of the packet, then the packet will then be dropped (because it is too large for the MTU), and a packet-too-large message will be returned to the source - all to have the same thing happen again.

More controversial issue...
If an IPsec tunnel appears mid flight and applying tunnel code causes the packet to be too big for the MTU, the packet is then fragmented. Some people have argued that because a new outer header is applied, it is a new packet, therefore source fragmentation is allowed. The primary author of the IPsec RFC disagrees with this interpretation - he feels a packet-too-large message should be returned. The point of source fragmentation is to get the sizing right in the first place so that we don't end up with a bunch of tiny fragments. That is exactly what happens in this scenario. The new header adds a handful of bytes over the MTU, so every full-size packet (and full-size packets will be common in a large transfer) will be fragmented at the tunnel - one full-size packet, and one tiny packet.

There are other weird behaviors with MTUs and IPsec tunnels that, for the most part, won't occur in real life. And fixing some of these odd borderline cases would involve changes to specifications.

-Bev
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Not sure if this is a NetBSD problem yet, but I can't connect to my
NetBSD Xen dom0 running on IPv6 unless I do some network operation from
it first.

ssh hangs in connect() from my client machine. Say I turn the screen on
and run a "dig netbsd.org aaaa" (anything that sends v6 pkts, really),
and then retry the ssh connection. It works then.


At this point I am not sure whether this is a NetBSD issue or not. What
I can say is that the FreeBSD and OpenBSD virtual machines also running
do not have this issue, but that is not conclusive by itself.




--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

This is clearly a bug. For IPv6 fragmentation size depends on the
end-to-end path (unlike IPv4, where it depends solely on the next
hop interface) and must be tracked and applied at the very start
of the path. The encapsulation tunnel is generally only a path
segment, i.e. is not the full end-to-end path, so fragmentation needs
to be done before you get there.
I think it might be controversial to argue that fragmenting the
tunnel-encapsulated packet is not permitted as an implementation
choice, but I also think it is non-controversial to argue that not
doing it this way, instead using the information about the effective
tunnel MTU to persuade the packet originator to send packets small
enough to fit through it without (additional) fragmentation, is a
functionally superior implementation option to choose. Anything that
reduces, or eliminates, the need for mid-path routers to do packet
reassemblies is always better just based on functional considerations,
and while there are always MTU-related warts associated with tunnelling
(even with IPv4) I believe you end up with fewer of them by always
pushing packet size issues (whether fragmentation, segmentation or
reassembly) as close to the ends of the end-to-end path as you can.

The reasons generic IPv4 tunnel implementations generally choose to
send encapsulated packets with the DF bit clear in the outer header
(i.e. to allow fragmentation of the encapsulated packet) are historical.
IPv6 doesn't share that history and needn't (and shouldn't) emulate this.

Dennis Ferguson
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de