lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Tue, 14 Jun 2011 14:27:50 +0200
From:	"Stefan (metze) Metzmacher" <metze@...ba.org>
To:	YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org>
CC:	netdev@...r.kernel.org
Subject: Re: [ipv6] valid_lft and active connections

Am 14.06.2011 13:41, schrieb YOSHIFUJI Hideaki:
> Hello.
> 
> Stefan (metze) Metzmacher wrote:
>> If I use ipv6 addresses with valid_lft != forever, the ipv6 addresses
>> are removed from the interface if the valid_lft expires, even if there're
>> established connection which use with address.
>>
>> Would it be possible keep the address until the last active connection
>> is closed? Otherwise the usable of the privacy extensions will make
>> very long living tcp connections impossible.
>>
> 
> I cannot imagine why you do not hear RAs before the address expires.

They do not reset the valid lifetime counter for temporary addresses.

And I think that valid_lft and preferred_lft should work with a manual
configured setup in a similar way.

> And well, I don't think it is a good idea because it is not what
> "valid lifetime" means.
> 
> We have 3 states:
> 
> 1) time <= preferred lifetime
> 2) preferred lifetime < time <= valid lifetime
> 3) valid lifetime < lifetime
> 
> You can make new connection during the period of 1 and you can continue
> using that connection during the period of 1 and 2.

But it means tcp connection can not last longer than the valid lifetime of
a temporary address, which is very ugly as the application layer will
run into
timeouts instead of getting an immediate error when the kernel drops the
related ip.

> Ask network administrator to advertise longer "valid" lifetime, if
> needed, and you may want to make net.ipv6.conf.*.max_addresses larger.

My aim is to have a preferred lifetime of say 4 hours, in order to have
no limit
on the lifetime of tcp connections, I'd have to set valid lifetime to
forever,
which means that I'll have about 180 addresses on an interface after
a month (8760 after a year) which are mostly all unused.

I think there should be some autocleanup based on the usage
of addresses, maybe there's a different solution for the problem.

Maybe RAs should reset the valid_lft of temporary addresses (from
autoconfiguration)
if the ip is in use? In which case I would accept that I need to do the
cleanup
in user space via cron, if I assign dynamic addresses also via cron.

>> It would be also ok to add a new special value "used" similar to "forever",
>> which triggers the modified behavior.

ip -6 addr add $addr valid_lft used preferred_lft  14400
would be nice to have.

It will add $addr which will be used for new connections for the next 4
hours,
if it's unused then it gets deleted, if not it stays until the last
connection went away.

But I would preferr if such a bahavior would be the default, so that
I can use:

ip -6 addr add $addr valid_lft  28800 preferred_lft  14400,
which mean that $addr will be used for new connections during the next 4
hours,
$addr will stay at least for the next 8 hours, if they're still active
connections
and the same interface has an other ip with the same prefix it stays until
the last connection went away.

And the same logic would apply to addresses assigned via autoconfiguration.

Do you know a better solution?

metze


Download attachment "signature.asc" of type "application/pgp-signature" (263 bytes)

Powered by blists - more mailing lists