lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4E80F8BD.4010401@gmail.com>
Date:	Tue, 27 Sep 2011 00:12:13 +0200
From:	Nicolas de Pesloüan 
	<nicolas.2p.debian@...il.com>
To:	Stephen Hemminger <shemminger@...tta.com>
CC:	Marc Haber <mh+netdev@...schlus.de>, netdev@...r.kernel.org
Subject: Re: Bridge stays down until a port is added

Le 26/09/2011 22:05, Stephen Hemminger a écrit :
> On Mon, 26 Sep 2011 22:02:21 +0200
> Nicolas de Pesloüan<nicolas.2p.debian@...il.com>  wrote:
[...]
>> Stephen,
>>
>> What do you think about a generic per-interface option that would cause bind() to accept tentative
>> address hold by a particular interface? This of course violate IPv6 principle, but we are talking
>> about interfaces that are unable to do DAD, either permanently or until something happens on the
>> underlying device.
>>
>> echo 1>  /sys/class/net/br0/allow_bind_on_tentative_address
>> echo 1>  /sys/class/net/dummy0/allow_bind_on_tentative_address
>> echo 1>  /sys/class/net/wlan0/allow_bind_on_tentative_address
>> and so on...
>>
>> And we may possibly automatically reset this option to 0 if DAD eventually causes the address to be
>> considered duplicate.
>
> The issue is that if DAD rejects a duplicate, the socket is dead and application is
> out of luck.

Yes, and this is by design. Setting the option would state "I want to allow early bind(), prior to 
DAD and I assume the fact that a possible duplicate address will cause the corresponding socket to 
be dead and so the using application."

In the particular use case of a bridge to connect to virtual machines, the user can reasonably 
assume that he know what it is doing on this private LAN. As such, he would accept the risk to have 
applications die if he end up with a duplicate address.

And this might also allow to set an IPv6 address on a dummy interface, which Marc Haber reported as 
not being allowed for now, probably because DAD cannot succeed on a dummy interface and as such, a 
bind() cannot be allowed, and as such, setting the IPv6 address is currently useless.

	Nicolas.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ