lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sun, 26 May 2019 22:13:11 +0200
From:   "M. Buecher" <>
Cc:     Michal Kubecek <>,
        Toke Høiland-Jørgensen 
Subject: Re: IP-Aliasing for IPv6? (actually "labels")

On 2019-05-20 22:53, Michal Kubecek wrote:
> On Mon, May 20, 2019 at 10:23:03PM +0200, M. Buecher wrote:
>> Used feature is the label option of `ip`, which works for IPv4, but 
>> not with
>> IPv6.
> The only reason for having these labels is to allow old tools like
> ifconfig to partially work even if the underlying implementation
> changed. There is no need for labels with IPv6 as even ifconfig (and 
> the
> ioctl interface it uses) does not pretend there are virtual interfaces
> and 1:1 mapping between interfaces and addresses and usess add/remove 
> to
> add or remove addresses to/from the list.
>> Goal: Use virtual interfaces to run separate instances of a service on
>> different IP addresses on the same machine.
>> For example with dnsmasq I use `-interface ens192` for the normal main
>> instance, while using `-interface ens192:0` and `-interfaces ens192:1` 
>> for
>> special instances only assigned to specific machines via their MAC
>> addresses.
> Configuration syntax based on "listening on an interface" is in most
> cases a historical relic because  this "interface" is just used to get
> the address the daemon is to listen on (bind the listening socket to).
> Most daemons support also identifying the listening address(es) 
> directly
> which should be preferred as then your configuration matches what the
> daemon is actually doing. (There are exceptions, e.g. "ping -I eth1"
> does something different than "ping -I" but these are rather
> rare.) Any daemon supporting IPv6 should definitely support setting the
> listening address(es) directly.

"Listening on an interface" is extremly convenient: configure/change ip 
addresses on the "label", then just reload/signal the services.
No tedious tasks needed to define each and every IP address (v4+v6) for 
each and every service.
Therefore I prefer the "oldschool" way of "listening on an interface".
Especially with the standard multi-homing of IPv6 I still vote for the 
old style and introducing labels also for IPv6.

Otherwise I just have to obey the decisions of the Kernel team and adopt 
my setups.
All explanation have been much appreciated from everybody that answered. 
This helped me to understand the topic much better. Thanks a lot.

Btw today ping doesn't work anymore with "labels", e.g. "-I eth0:0", as 
it incorrectly assumes an IP address due to the colon, although an IPv6 
address has always at least two colons in it (::1, 

>> What is the correct name when I use the label option of the ip 
>> command?
>> The "IP-Aliasing" doc was the only one I could find on that 
>> fit
>> the way labels are assigned with ip.
> They are just labels. The term "IP aliasing" denotes the older
> implementation in 2.0 kernels where there were actual virtual
> interfaces, allowing you to assign the extra addresses to them. Since
> kernel 2.2, it's no longer the case, there is just the actual interface
> and it has a list of IPv4 addresses.
>                                                          Michal Kubecek

Powered by blists - more mailing lists