| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Jan 2015 07:53:59 -0700 From: David Ahern <dsahern@...il.com> To: Hannes Frederic Sowa <hannes@...hat.com>, YOSHIFUJI Hideaki <hideaki.yoshifuji@...aclelinux.com> CC: Stephen Hemminger <stephen@...workplumber.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: Re: why are IPv6 addresses removed on link down On 1/13/15 5:36 AM, Hannes Frederic Sowa wrote: > Hi, > > On Di, 2015-01-13 at 21:15 +0900, YOSHIFUJI Hideaki wrote: >> YOSHIFUJI Hideaki wrote: >>> Hi, >>> >>> Hannes Frederic Sowa wrote: >>>> On Mo, 2015-01-12 at 23:10 -0800, Stephen Hemminger wrote: >>>>> On Mon, 12 Jan 2015 22:06:44 -0700 >>>>> David Ahern <dsahern@...il.com> wrote: >>>>> >>>>>> We noticed that IPv6 addresses are removed on a link down. e.g., >>>>>> ip link set dev eth1 >>>>>> >>>>>> >>>>>> Looking at the code it appears to be this code path in addrconf.c: >>>>>> >>>>>> case NETDEV_DOWN: >>>>>> case NETDEV_UNREGISTER: >>>>>> /* >>>>>> * Remove all addresses from this interface. >>>>>> */ >>>>>> addrconf_ifdown(dev, event != NETDEV_DOWN); >>>>>> break; >>>>>> >>>>>> IPv4 addresses are NOT removed on a link down. Is there a particular >>>>>> reason IPv6 addresses are? >>>>>> >>>>>> Thanks, >>>>>> David >>>>> >>>>> See RFC's which describes how IPv6 does Duplicate Address Detection. >>>>> Address is not valid when link is down, since DAD is not possible. >>>> >>>> It should be no problem if the kernel would reacquire them on ifup and >>>> do proper DAD. We simply must not use them while the interface is dead >>>> (also making sure they don't get used for loopback routing). >>>> >>>> The problem the IPv6 addresses get removed is much more a historical >>>> artifact nowadays, I think. It is part of user space API and scripts >>>> deal with that already. >>> >>> We might have another "detached" state which essintially drops >>> outgoing packets while link is down. Just after recovering link, >>> we could start receiving packet from the link and perform optimistic >>> DAD. And then, after it succeeds, we may start sending packets. >>> >>> Since "detached" state is like the state just before completing >>> Optimistic DAD, it is not so difficult to implement this extended >>> behavior, I guess. >>> >> >> Note that node is allowed to send packets to neighbours or default >> routers if the node knows their link-layer addresses during Optimistic >> DAD. >> > > I don't think it should be a problem from internal state handling of the > addresses. > > I am much more concerned with scripts expecting the addresses to be > flushed on interface down/up and not reacting appropriate. The current code seems inconsistent: I can put an IPv6 address on a link in the down state. On a link up the address is retained. Only on a subsequent link down is it removed. If DAD or anything else is the reason for the current logic then why allow an address to be assigned in the down state? Similarly that it currently seems to work ok then it suggests the right thing is done on a link up in which case a flush is not needed. Bottom line is there a harm in removing the flush? If there is no harm will mainline kernel take a patch to do that or is your backward compatibility concern enough to block it? David -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists