lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 27 Jan 2015 10:44:21 +0100
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	Andy Gospodarek <gospo@...ulusnetworks.com>
Cc:	Stephen Hemminger <stephen@...workplumber.org>,
	David Ahern <dsahern@...il.com>, netdev@...r.kernel.org
Subject: Re: [RFC PATCH] net: ipv6: Make address flushing on ifdown optional

Hi,

On Mo, 2015-01-26 at 23:56 -0500, Andy Gospodarek wrote:
> On Fri, Jan 23, 2015 at 01:22:17PM +0100, Hannes Frederic Sowa wrote:
> > On Do, 2015-01-22 at 22:40 -0800, Stephen Hemminger wrote:
> > > On Wed, 14 Jan 2015 12:17:19 -0700
> > > David Ahern <dsahern@...il.com> wrote:
> > > 
> > > > Currently, ipv6 addresses are flushed when the interface is configured down:
> > > > 
> > > > [root@f20 ~]# ip -6 addr add dev eth1 2000:11:1:1::1/64
> > > > [root@f20 ~]# ip addr show dev eth1
> > > > 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
> > > >     link/ether 02:04:11:22:33:01 brd ff:ff:ff:ff:ff:ff
> > > >     inet6 2000:11:1:1::1/64 scope global tentative
> > > >        valid_lft forever preferred_lft forever
> > > > [root@f20 ~]# ip link set dev eth1 up
> > > > [root@f20 ~]# ip link set dev eth1 down
> > > > [root@f20 ~]# ip addr show dev eth1
> > > > 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
> > > >     link/ether 02:04:11:22:33:01 brd ff:ff:ff:ff:ff:ff
> > > > 
> > > > Add a new sysctl to make this behavior optional. Setting defaults to flush
> > > > addresses to maintain backwards compatibility. When reset flushing is bypassed:
> > > > 
> > > > [root@f20 ~]# echo 0 > /proc/sys/net/ipv6/conf/eth1/flush_addr_on_down
> > > > [root@f20 ~]# ip -6 addr add dev eth1 2000:11:1:1::1/64
> > > > [root@f20 ~]# ip addr show dev eth1
> > > > 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
> > > >     link/ether 02:04:11:22:33:01 brd ff:ff:ff:ff:ff:ff
> > > >     inet6 2000:11:1:1::1/64 scope global tentative
> > > >        valid_lft forever preferred_lft forever
> > > > [root@f20 ~]#  ip link set dev eth1 up
> > > > [root@f20 ~]#  ip link set dev eth1 down
> > > > [root@f20 ~]# ip addr show dev eth1
> > > > 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
> > > >     link/ether 02:04:11:22:33:01 brd ff:ff:ff:ff:ff:ff
> > > >     inet6 2000:11:1:1::1/64 scope global
> > > >        valid_lft forever preferred_lft forever
> > > >     inet6 fe80::4:11ff:fe22:3301/64 scope link
> > > >        valid_lft forever preferred_lft forever
> > > > 
> > > > Suggested-by: Hannes Frederic Sowa <hannes@...hat.com>
> > > > Signed-off-by: David Ahern <dsahern@...il.com>
> > > > Cc: Hannes Frederic Sowa <hannes@...hat.com>
> > > 
> > > Would this break existing application expecting a particular semantic
> > > by listening to netlink?  What happens to packets received with the static
> > > address when interface is down? With IPv4 Linux is mostly a weak host
> > > model, and IPv6 somewhere in between.
> > 
> > IPv6 is mostly a weak end model, too, but IFA_LINK addresses are used
> > much more. So yes, it is somewhere in between.
> > 
> > Addresses bound to interfaces which are currently down will work with
> > IPv6 (in contrast to IPv4).
> > 
> > > For vendors that control the application stack or have limited number
> > > of services this would work fine, but what about RHEL?
> > 
> > The new model is only enabled if the sysctl is set. I don't expect a lot
> > of vendors or distributions switching anytime soon.
> 
> You are probably correct that many will not switch, but this sysctl
> gives those who want to switch a nice option without having to carry
> extra kernel patches.  I like it. 

I don't see any problem with the patch in general but DAD should
definitely happen on reenabling interfaces. Current behavior does not
seem fine to me. It's ok if this patch doesn't change this behavior now
but a follow-up one will be needed then.

David, will you look after the DAD logic and do you plan a follow-up
patch?

> I have been pondering a few different changes to interface address and
> route behavior on both interface and link (gasp!) down and would like to
> use sysctls to make those options available to those who are interested
> without changing the current model.

Can you be more specific? In the last year we added some per interface
flags to e.g. handle the creation of on-link routes in case of an
address gets added to the interface. Maybe this is the better approach,
because quite a lot of stuff happens interface local in IPv6.

Thanks,
Hannes


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ