lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 23 Jan 2015 13:22:17 +0100
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	Stephen Hemminger <stephen@...workplumber.org>
Cc:	David Ahern <dsahern@...il.com>, netdev@...r.kernel.org
Subject: Re: [RFC PATCH] net: ipv6: Make address flushing on ifdown optional

On Do, 2015-01-22 at 22:40 -0800, Stephen Hemminger wrote:
> On Wed, 14 Jan 2015 12:17:19 -0700
> David Ahern <dsahern@...il.com> wrote:
> 
> > Currently, ipv6 addresses are flushed when the interface is configured down:
> > 
> > [root@f20 ~]# ip -6 addr add dev eth1 2000:11:1:1::1/64
> > [root@f20 ~]# ip addr show dev eth1
> > 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
> >     link/ether 02:04:11:22:33:01 brd ff:ff:ff:ff:ff:ff
> >     inet6 2000:11:1:1::1/64 scope global tentative
> >        valid_lft forever preferred_lft forever
> > [root@f20 ~]# ip link set dev eth1 up
> > [root@f20 ~]# ip link set dev eth1 down
> > [root@f20 ~]# ip addr show dev eth1
> > 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
> >     link/ether 02:04:11:22:33:01 brd ff:ff:ff:ff:ff:ff
> > 
> > Add a new sysctl to make this behavior optional. Setting defaults to flush
> > addresses to maintain backwards compatibility. When reset flushing is bypassed:
> > 
> > [root@f20 ~]# echo 0 > /proc/sys/net/ipv6/conf/eth1/flush_addr_on_down
> > [root@f20 ~]# ip -6 addr add dev eth1 2000:11:1:1::1/64
> > [root@f20 ~]# ip addr show dev eth1
> > 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
> >     link/ether 02:04:11:22:33:01 brd ff:ff:ff:ff:ff:ff
> >     inet6 2000:11:1:1::1/64 scope global tentative
> >        valid_lft forever preferred_lft forever
> > [root@f20 ~]#  ip link set dev eth1 up
> > [root@f20 ~]#  ip link set dev eth1 down
> > [root@f20 ~]# ip addr show dev eth1
> > 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
> >     link/ether 02:04:11:22:33:01 brd ff:ff:ff:ff:ff:ff
> >     inet6 2000:11:1:1::1/64 scope global
> >        valid_lft forever preferred_lft forever
> >     inet6 fe80::4:11ff:fe22:3301/64 scope link
> >        valid_lft forever preferred_lft forever
> > 
> > Suggested-by: Hannes Frederic Sowa <hannes@...hat.com>
> > Signed-off-by: David Ahern <dsahern@...il.com>
> > Cc: Hannes Frederic Sowa <hannes@...hat.com>
> 
> Would this break existing application expecting a particular semantic
> by listening to netlink?  What happens to packets received with the static
> address when interface is down? With IPv4 Linux is mostly a weak host
> model, and IPv6 somewhere in between.

IPv6 is mostly a weak end model, too, but IFA_LINK addresses are used
much more. So yes, it is somewhere in between.

Addresses bound to interfaces which are currently down will work with
IPv6 (in contrast to IPv4).

> For vendors that control the application stack or have limited number
> of services this would work fine, but what about RHEL?

The new model is only enabled if the sysctl is set. I don't expect a lot
of vendors or distributions switching anytime soon.

I wonder if we should try to come up with a way of IPV6_NEW_WORLD_ORDER
we can make some changes to the stack which align much better with the
RFCs, e.g. no default link local address generation, no default on-link
routes etc.

Bye,
Hannes


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists