Kernel design

The following lists the specific defects introduced into the instrumented test kernel. The defects are all activated by supplying some non-zero value to some entry in the /proc filesystem. Most of the entries are in the usgtest directory:
In a few cases, as indicated below, existing Linux /proc entries sufficed for enabling the desired defect.

A note on using the test kernel: in general, for most of these defects to be expressed, you will have to disable any firewall on the test node (via /etc/init.d/ip6tables stop) to keep it from blocking the test packets.

Test What changed Where it changed Controlling variable
Version field
Add acceptance of a bad version, e.g. 5. in ipv6_rcv
(value = version #)
Unrecognized first header
Regard a first header value of 138 as being 58 (ICMP). net/ipv6/exthdrs.c and icmp.c icmphdr_alt
(value = header #)
Note: to make this run-time configurable, what we do is toggle loading/unloading a protocol handler for 138 (or whatever value) which calls icmpv6_rcv.
Next header
Allow multiple 0 (options) headers. net/ipv6/datagram.c
in datagram_recv_ctl
Unrecognized next header in extension header
Regard a next header value of 138 as being 58 (ICMP). net/ipv6/exthdrs.c
in ipv6_exthdrs_init plus in icmp.c and ip6_input.c
Note: This comes with the change in v6LC.1.1.7.
Reassembly time exceeded
Add some amount of time (e.g. 10 seconds) to the timeout value for fragment reassembly. net/ipv6/reassembly.c
in ipv6_frag_init
(value = time in seconds)
Note: this time is controlled by an existing variable, /proc/sys/net/ipv6/ip6frag_secret_interval. I'm not sure whether reinitialization is needed when this value is changed.
Payload length invalid
Allow lengths which are not multiples of 8 bytes. net/ipv6/reassembly.c
in ip6_frag_queue and ??
Note: It seemed easy enough, but somehow I think I'm missing something.
Neighbor solicitation origination
Increase the number of neighbor solicitations to, say, 5, or decrease the interval between them to, say, 2 seconds. net/ipv6/addrconf.c (router_solicitations)
(value = number)
(value = time in seconds)
Note: no code change required; this is already in /proc/sys/net/ipv6/conf/all - router_solicitations and router_solicitation_interval. Have to double-check that it updates at runtime.
Router ignores invalid router solicitations
Allow solicitations with an ICMPv6 code of 1. net/ipv6/ndisc.c
in ndisc_rcv
(value = code allowed)
Note: could possibly also allow hop limits of, say, 254 in the same code.
Redirected on-link: invalid
Allow redirects with an ICMPv6 code of 1. net/ipv6/ndisc.c
in ndisc_rcv
(value = code allowed)
Validation of DAD Neighbor Solicitations
Allow DAD neighbor solicitations with an ICMPv6 code of 1. net/ipv6/ndisc.c
in ndisc_rcv
(value = code allowed)
Address lifetime expiry
Increase (say, double) received lifetime values. net/ipv6/addrconf.c
in addrconf_prefix_rcv
(value = multiplicand for lifetime)
Note: I'm a little vague on what this particular test is looking for, but I assume this change would catch it.
Checking for increase in PMTU
Allow PMTU to increase after only 4 minutes. net/ipv6/route.c
in rt6_pmtu_discovery
(value = time in seconds)
Note: This is controlled by /proc/sys/net/ipv6/route/mtu_expires; changing it from 600 (RFC recommended and Linux default of 10 minutes) to 240 looks like it should work. RFC 1981 says 5 is the minimum.
Erroneous header field
Return a type of, say, 2 (unknown option) rather than 0. net/ipv6/reassembly.c
in ip6_frag_queue
(value = type returned)
Note: changing the type sent is less intrusive than actually allowing odd lengths.