Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

343 lines
11 KiB

// -*- mode: C++; tab-width: 4; indent-tabs-mode: nil -*- (for GNU Emacs)
//
// Copyright (c) 1985-2000 Microsoft Corporation
//
// This file is part of the Microsoft Research IPv6 Network Protocol Stack.
// You should have received a copy of the Microsoft End-User License Agreement
// for this software along with this release; see the file "license.txt".
// If not, please see http://www.research.microsoft.com/msripv6/license.htm,
// or write to Microsoft Research, One Microsoft Way, Redmond, WA 98052-6399.
//
// Abstract:
//
// Mobility routines for Internet Protocol Version 6.
//
#include "oscfg.h"
#include "ndis.h"
#include "ip6imp.h"
#include "ip6def.h"
#include "mobile.h"
#include "route.h"
#include "security.h"
#include "ipsec.h"
int MobilitySecurity;
uint MobileIPv6Mode;
//* IPv6SendBindingAck
//
// Sends a Binding Acknowledgement using an explicit routing header.
//
void
IPv6SendBindingAck(
const IPv6Addr *DestAddr,
NetTableEntryOrInterface *NTEorIF,
const IPv6Addr *HomeAddr,
BindingUpdateDisposition StatusCode,
ushort SeqNumber, // Network byte order.
uint Lifetime) // Network byte order, seconds.
{
NDIS_STATUS Status;
PNDIS_PACKET Packet;
uint Offset, PayloadLength;
uchar *Mem;
uint MemLen;
IPv6Header UNALIGNED *IP;
MobileAcknowledgementOption UNALIGNED *MA;
IPv6RoutingHeader UNALIGNED *Routing;
IP_STATUS IPStatus;
RouteCacheEntry *RCE;
IPStatus = RouteToDestination(DestAddr, 0, NTEorIF,
RTD_FLAG_NORMAL, &RCE);
if (IPStatus != IP_SUCCESS) {
//
// No route - drop the packet.
//
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_INTERNAL_ERROR,
"IPv6SendBindingNack - no route: %x\n", IPStatus));
return;
}
// Determine size of memory buffer needed.
Offset = RCE->NCE->IF->LinkHeaderSize;
PayloadLength = sizeof(IPv6RoutingHeader) + sizeof(IPv6Addr) +
sizeof(MobileAcknowledgementOption);
MemLen = Offset + sizeof(IPv6Header) + PayloadLength;
// Allocate the packet.
Status = IPv6AllocatePacket(MemLen, &Packet, &Mem);
if (Status != NDIS_STATUS_SUCCESS) {
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NTOS_ERROR,
"IPv6SendBindingNack: Couldn't allocate packet header!?!\n"));
return;
}
// Prepare IP header of reply packet.
IP = (IPv6Header UNALIGNED *)(Mem + Offset);
IP->VersClassFlow = IP_VERSION;
IP->NextHeader = IP_PROTOCOL_ROUTING;
IP->HopLimit = (uchar)RCE->NCE->IF->CurHopLimit;
IP->Dest = *DestAddr;
IP->Source = (IsNTE(NTEorIF) ? CastToNTE(NTEorIF) : RCE->NTE)->Address;
// Prepare the routing header.
Routing = (IPv6RoutingHeader UNALIGNED *)(IP + 1);
Routing->NextHeader = IP_PROTOCOL_DEST_OPTS;
Routing->HeaderExtLength = 2;
Routing->RoutingType = 0;
RtlZeroMemory(&Routing->Reserved, sizeof Routing->Reserved);
Routing->SegmentsLeft = 1;
RtlCopyMemory(Routing + 1, HomeAddr, sizeof(IPv6Addr));
// Prepare the binding acknowledgement option.
MA = (MobileAcknowledgementOption UNALIGNED *)((uchar *)(Routing + 1) +
sizeof(IPv6Addr));
MA->Header.NextHeader = IP_PROTOCOL_NONE;
MA->Header.HeaderExtLength = 1;
MA->Pad1 = 0;
MA->Option.Type = OPT6_BINDING_ACK;
MA->Option.Length = 11;
MA->Option.Status = StatusCode;
MA->Option.SeqNumber = SeqNumber;
MA->Option.Lifetime = Lifetime;
MA->Option.Refresh = Lifetime;
IPv6Send(Packet, Offset, IP, PayloadLength, RCE,
SEND_FLAG_BYPASS_BINDING_CACHE, 0, 0, 0);
//
// Release the route.
//
ReleaseRCE(RCE);
}
//* ParseSubOptions - Routine for mobile ip sub-option parsing.
//
// Mobile IPv6 destination options may themselves have options, see
// section 5.5 of the draft. This routine parses these sub-options.
//
// We do not return any values to our caller;
// we merely check that the sub-options are well-formed.
//
// Returns TRUE if the sub-options were successfully parsed.
// Returns FALSE if the packet should be discarded.
//
int
ParseSubOptions(
uchar *SubOptPtr, // Start of the sub-option data.
uint SubOptSizeLeft) // Length remaining in the parent option.
{
SubOptionHeader UNALIGNED *SubOptHdr;
uint SubOptLen;
while (SubOptSizeLeft != 0) {
//
// First we check the option length and ensure that it fits.
// We move OptPtr past this option while leaving OptHdr
// for use by the option processing code below.
//
SubOptHdr = (SubOptionHeader UNALIGNED *) SubOptPtr;
if ((sizeof *SubOptHdr > SubOptSizeLeft) ||
((SubOptLen = sizeof *SubOptHdr + SubOptHdr->DataLength) >
SubOptSizeLeft)) {
//
// Bad length. REVIEW: Should we discard the packet or continue
// processing it? For now, discard it.
//
return FALSE;
}
SubOptPtr += SubOptLen;
SubOptSizeLeft -= SubOptLen;
}
return TRUE;
}
//* IPv6RecvBindingUpdate - handle an incoming binding update.
//
// Process the receipt of a binding update destination option
// from a mobile node.
//
int
IPv6RecvBindingUpdate(
IPv6Packet *Packet, // Packet received.
IPv6BindingUpdateOption UNALIGNED *BindingUpdate)
{
const IPv6Addr *CareOfAddr;
const IPv6Addr *HomeAddr;
BindingUpdateDisposition Status;
uint OptBytesLeft;
//
// If a home address option is not also present
// then we MUST silently drop this packet.
//
if ((Packet->Flags & PACKET_SAW_HA_OPT) == 0)
return 1; // Drop packet.
HomeAddr = Packet->SrcAddr;
//
// Check to make sure we have a reasonable home address.
// Not required by spec but seems like a good idea.
// Most of what we want to protect against has already been checked
// by the time we get here, we ASSERT this is checked builds.
// REVIEW: Final spec may allow/disallow a different set of addresses.
//
ASSERT(!IsInvalidSourceAddress(HomeAddr));
ASSERT(!IsUnspecified(HomeAddr));
ASSERT(!IsLoopback(HomeAddr));
if (IsLinkLocal(HomeAddr) ||
IsSiteLocal(HomeAddr)) {
//
// Since the home address is suspect, do not send binding ack.
//
return 1;
}
//
// While the mobility spec requires that packets containing binding
// update options be authenticated, we currently allow this to be
// turned off for interoperability testing with mobility implementations
// that don't support IPSec yet.
//
if (MobilitySecurity) {
//
// Check if the packet went through some security.
// If the security check fails we MUST silently drop the packet.
//
// REVIEW: This doesn't check that use of this security association
// REVIEW: actually falls within a security policy.
//
if (Packet->SAPerformed == NULL) {
KdPrintEx((DPFLTR_TCPIP6_ID, DPFLTR_NET_ERROR,
"IPv6RecvBindingUpdate: IPSec required "
"for binding update\n"));
return 1;
}
}
CareOfAddr = AlignAddr(&Packet->IP->Source);
ASSERT(!IsInvalidSourceAddress(CareOfAddr));
//
// Sub-options may follow the fixed portion of the header.
//
OptBytesLeft = sizeof(OptionHeader) + BindingUpdate->Length
- sizeof(IPv6BindingUpdateOption);
if (OptBytesLeft != 0) {
//
// Sub-options are present. Parse them.
//
if (!ParseSubOptions((uchar *) (BindingUpdate + 1), OptBytesLeft)) {
//
// Sub-options are malformed. Spec doesn't explicitly say
// what to do, but the implication is to silently drop.
//
return 1;
}
}
//
// Check to make sure we have a reasonable care-of address.
// Not required by spec but seems like a good idea.
// REVIEW: Aren't link-local addresses o.k. as care-of addresses?
//
if (IsUnspecified(CareOfAddr) ||
IsLoopback(CareOfAddr) ||
IsLinkLocal(CareOfAddr)) {
//
// Since the care-of address is suspect, do not send binding ack.
//
return 1;
}
//
// We don't support home agent functionality (yet).
// The spec says we SHOULD send a rejecting acknowledgement in this case.
//
if (BindingUpdate->Flags & IPV6_BINDING_HOME_REG) {
IPv6SendBindingAck(CareOfAddr, Packet->NTEorIF, HomeAddr,
IPV6_BINDING_HOME_REG_NOT_SUPPORTED,
BindingUpdate->SeqNumber, 0);
return 1;
}
//
// Update our binding cache to reflect this binding update.
//
Status = CacheBindingUpdate(BindingUpdate, CareOfAddr, Packet->NTEorIF,
HomeAddr);
if (Status != IPV6_BINDING_ACCEPTED) {
//
// Failed to update our binding cache. If this failure was due to
// an old sequence number being present in the packet, we MUST
// silently ignore it. Otherwise we send a rejecting acknowledgement.
//
if (Status != IPV6_BINDING_SEQ_NO_TOO_SMALL)
IPv6SendBindingAck(CareOfAddr, Packet->NTEorIF, HomeAddr,
Status, BindingUpdate->SeqNumber, 0);
return 1;
}
if (BindingUpdate->Flags & IPV6_BINDING_ACK) {
//
// The mobile node has requested an acknowledgement. In some cases
// this could be delayed until the next packet is sent
// to the mobile node, but for now we always send one immediately.
// We MUST always use a routing header for binding acks.
// If we deleted a binding, we ack with a zero lifetime.
//
IPv6SendBindingAck(CareOfAddr, Packet->NTEorIF, HomeAddr,
Status, BindingUpdate->SeqNumber,
(IP6_ADDR_EQUAL(HomeAddr, CareOfAddr) ?
0 : BindingUpdate->Lifetime));
}
return 0;
}
//* IPv6RecvHomeAddress - handle an incoming home address option.
//
// Process the receipt of a Home Address destination option.
//
int
IPv6RecvHomeAddress(
IPv6Packet *Packet, // Packet received.
IPv6HomeAddressOption UNALIGNED *HomeAddress)
{
uint OptBytesLeft, OptsLen;
//
// If any mobile sub-options exist, then find out which ones.
// For now we don't do anything with them.
//
OptsLen = HomeAddress->Length + sizeof(OptionHeader);
OptBytesLeft = OptsLen - sizeof(IPv6HomeAddressOption);
if (OptBytesLeft != 0) {
if (!ParseSubOptions((uchar *) HomeAddress + OptsLen - OptBytesLeft,
OptBytesLeft))
return 1;
}
//
// Save the home address for use by upper layers.
//
Packet->SrcAddr = AlignAddr(&HomeAddress->HomeAddress);
Packet->Flags |= PACKET_SAW_HA_OPT;
// Done.
return 0;
}