Kernel design

The following lists the specific defects introduced into the instrumented test kernel. The defects are all activated by supplying some non-zero value to some entry in the /proc filesystem. Most of the entries are in the usgtest directory:

/proc/sys/net/ipv6/usgtest/

In a few cases, as indicated below, existing Linux /proc entries sufficed for enabling the desired defect.

A note on using the test kernel: in general, for most of these defects to be expressed, you will have to disable any firewall on the test node (via /etc/init.d/ip6tables stop) to keep it from blocking the test packets.

Test What changed Where it changed Controlling variable

v6LC.1.1.1
Version field Add acceptance of a bad version, e.g. 5. in ipv6_rcv
net/ipv6/ip6_input.c bad_version
(value = version #)

v6LC.1.1.7
Unrecognized first header Regard a first header value of 138 as being 58 (ICMP). net/ipv6/exthdrs.c and icmp.c icmphdr_alt
(value = header #)

Note: to make this run-time configurable, what we do is toggle loading/unloading a protocol handler for 138 (or whatever value) which calls icmpv6_rcv.

v6LC.1.2.1
Next header Allow multiple 0 (options) headers. net/ipv6/datagram.c
in datagram_recv_ctl multiple_options
(boolean)

v6LC.1.2.3
Unrecognized next header in extension header Regard a next header value of 138 as being 58 (ICMP). net/ipv6/exthdrs.c
in ipv6_exthdrs_init plus in icmp.c and ip6_input.c icmphdr_alt

Note: This comes with the change in v6LC.1.1.7.

v6LC.1.3.2
Reassembly time exceeded Add some amount of time (e.g. 10 seconds) to the timeout value for fragment reassembly. net/ipv6/reassembly.c
in ipv6_frag_init (ip6frag_secret_interval)
(value = time in seconds)

Note: this time is controlled by an existing variable, /proc/sys/net/ipv6/ip6frag_secret_interval. I'm not sure whether reinitialization is needed when this value is changed.

v6LC.1.3.3
Payload length invalid Allow lengths which are not multiples of 8 bytes. net/ipv6/reassembly.c
in ip6_frag_queue and ?? odd_frag_lengths
(boolean)

Note: It seemed easy enough, but somehow I think I'm missing something.

v6LC.2.1.5
Neighbor solicitation origination Increase the number of neighbor solicitations to, say, 5, or decrease the interval between them to, say, 2 seconds. net/ipv6/addrconf.c (router_solicitations)
(value = number)
(router_solicitation_interval)
(value = time in seconds)

Note: no code change required; this is already in /proc/sys/net/ipv6/conf/all - router_solicitations and router_solicitation_interval. Have to double-check that it updates at runtime.

v6LC.2.2.4
Router ignores invalid router solicitations Allow solicitations with an ICMPv6 code of 1. net/ipv6/ndisc.c
in ndisc_rcv icmp_code_solicitation
(value = code allowed)

Note: could possibly also allow hop limits of, say, 254 in the same code.

v6LC.2.3.3
Redirected on-link: invalid Allow redirects with an ICMPv6 code of 1. net/ipv6/ndisc.c
in ndisc_rcv icmp_code_redirect
(value = code allowed)

v6L3.1.3
Validation of DAD Neighbor Solicitations Allow DAD neighbor solicitations with an ICMPv6 code of 1. net/ipv6/ndisc.c
in ndisc_rcv icmp_code_dad_neighbor
(value = code allowed)

v6LC.3.2.2
Address lifetime expiry Increase (say, double) received lifetime values. net/ipv6/addrconf.c
in addrconf_prefix_rcv prefix_lifetime
(value = multiplicand for lifetime)

Note: I'm a little vague on what this particular test is looking for, but I assume this change would catch it.

v6LC.4.1.9
Checking for increase in PMTU Allow PMTU to increase after only 4 minutes. net/ipv6/route.c
in rt6_pmtu_discovery (mtu_expires)
(value = time in seconds)

Note: This is controlled by /proc/sys/net/ipv6/route/mtu_expires; changing it from 600 (RFC recommended and Linux default of 10 minutes) to 240 looks like it should work. RFC 1981 says 5 is the minimum.

v6LC.5.1.6
Erroneous header field Return a type of, say, 2 (unknown option) rather than 0. net/ipv6/reassembly.c
in ip6_frag_queue icmp_type_frag_length
(value = type returned)

Note: changing the type sent is less intrusive than actually allowing odd lengths.

Test	What changed	Where it changed	Controlling variable
v6LC.1.1.1 Version field	Add acceptance of a bad version, e.g. 5.	in ipv6_rcv net/ipv6/ip6_input.c	bad_version (value = version #)
v6LC.1.1.7 Unrecognized first header	Regard a first header value of 138 as being 58 (ICMP).	net/ipv6/exthdrs.c and icmp.c	icmphdr_alt (value = header #)
v6LC.1.1.7 Unrecognized first header	Note: to make this run-time configurable, what we do is toggle loading/unloading a protocol handler for 138 (or whatever value) which calls icmpv6_rcv.
v6LC.1.2.1 Next header	Allow multiple 0 (options) headers.	net/ipv6/datagram.c in datagram_recv_ctl	multiple_options (boolean)
v6LC.1.2.3 Unrecognized next header in extension header	Regard a next header value of 138 as being 58 (ICMP).	net/ipv6/exthdrs.c in ipv6_exthdrs_init plus in icmp.c and ip6_input.c	icmphdr_alt
v6LC.1.2.3 Unrecognized next header in extension header	Note: This comes with the change in v6LC.1.1.7.
v6LC.1.3.2 Reassembly time exceeded	Add some amount of time (e.g. 10 seconds) to the timeout value for fragment reassembly.	net/ipv6/reassembly.c in ipv6_frag_init	(ip6frag_secret_interval) (value = time in seconds)
v6LC.1.3.2 Reassembly time exceeded	Note: this time is controlled by an existing variable, /proc/sys/net/ipv6/ip6frag_secret_interval. I'm not sure whether reinitialization is needed when this value is changed.
v6LC.1.3.3 Payload length invalid	Allow lengths which are not multiples of 8 bytes.	net/ipv6/reassembly.c in ip6_frag_queue and ??	odd_frag_lengths (boolean)
v6LC.1.3.3 Payload length invalid	Note: It seemed easy enough, but somehow I think I'm missing something.
v6LC.2.1.5 Neighbor solicitation origination	Increase the number of neighbor solicitations to, say, 5, or decrease the interval between them to, say, 2 seconds.	net/ipv6/addrconf.c	(router_solicitations) (value = number) (router_solicitation_interval) (value = time in seconds)
v6LC.2.1.5 Neighbor solicitation origination	Note: no code change required; this is already in /proc/sys/net/ipv6/conf/all - router_solicitations and router_solicitation_interval. Have to double-check that it updates at runtime.
v6LC.2.2.4 Router ignores invalid router solicitations	Allow solicitations with an ICMPv6 code of 1.	net/ipv6/ndisc.c in ndisc_rcv	icmp_code_solicitation (value = code allowed)
v6LC.2.2.4 Router ignores invalid router solicitations	Note: could possibly also allow hop limits of, say, 254 in the same code.
v6LC.2.3.3 Redirected on-link: invalid	Allow redirects with an ICMPv6 code of 1.	net/ipv6/ndisc.c in ndisc_rcv	icmp_code_redirect (value = code allowed)
v6L3.1.3 Validation of DAD Neighbor Solicitations	Allow DAD neighbor solicitations with an ICMPv6 code of 1.	net/ipv6/ndisc.c in ndisc_rcv	icmp_code_dad_neighbor (value = code allowed)
v6LC.3.2.2 Address lifetime expiry	Increase (say, double) received lifetime values.	net/ipv6/addrconf.c in addrconf_prefix_rcv	prefix_lifetime (value = multiplicand for lifetime)
v6LC.3.2.2 Address lifetime expiry	Note: I'm a little vague on what this particular test is looking for, but I assume this change would catch it.
v6LC.4.1.9 Checking for increase in PMTU	Allow PMTU to increase after only 4 minutes.	net/ipv6/route.c in rt6_pmtu_discovery	(mtu_expires) (value = time in seconds)
v6LC.4.1.9 Checking for increase in PMTU	Note: This is controlled by /proc/sys/net/ipv6/route/mtu_expires; changing it from 600 (RFC recommended and Linux default of 10 minutes) to 240 looks like it should work. RFC 1981 says 5 is the minimum.
v6LC.5.1.6 Erroneous header field	Return a type of, say, 2 (unknown option) rather than 0.	net/ipv6/reassembly.c in ip6_frag_queue	icmp_type_frag_length (value = type returned)
v6LC.5.1.6 Erroneous header field	Note: changing the type sent is less intrusive than actually allowing odd lengths.