lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 6 Apr 2020 13:26:34 -0300
From:   Fernando Gont <fgont@...networks.com>
To:     netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH] [net-next] IPv6 RFC4941bis (Privacy/temporary addresses)

Folks,

Any thoughts?

Thanks!
Fernando




On 2/4/20 14:06, Fernando Gont wrote:
> Folks,
> 
> This patch the upcoming revision of RFC4941: 
> https://tools.ietf.org/html/draft-ietf-6man-rfc4941bis-08 .
> 
> Namely,
> 
> * Reduces the default Valid Lifetime to 2 days
> This reduces stress on network elements, among other things
> 
> * Employs different IIDs for different prefixes
> To avoid network activity correlation among addresses configured for 
> different prefixes
> 
> * Uses a simpler algorithm for IID generation
> No need to store "history" anywhere
> 
> P.S.: The patch is also available here: 
> https://www.gont.com.ar/code/fgont-patch-linux-net-next-rfc4941bis.txt
> 
> ---- cut here ----
> diff --git Documentation/networking/ip-sysctl.txt 
> Documentation/networking/ip-sysctl.txt
> index ee961d322d93..db1ee7340090 100644
> --- Documentation/networking/ip-sysctl.txt
> +++ Documentation/networking/ip-sysctl.txt
> @@ -1807,7 +1807,7 @@ use_tempaddr - INTEGER
> 
>   temp_valid_lft - INTEGER
>       valid lifetime (in seconds) for temporary addresses.
> -    Default: 604800 (7 days)
> +    Default: 172800 (2 days)
> 
>   temp_prefered_lft - INTEGER
>       Preferred lifetime (in seconds) for temporary addresses.
> diff --git include/net/addrconf.h include/net/addrconf.h
> index e0eabe58aa8b..1bd21ee035bf 100644
> --- include/net/addrconf.h
> +++ include/net/addrconf.h
> @@ -8,7 +8,7 @@
> 
>   #define MIN_VALID_LIFETIME        (2*3600)    /* 2 hours */
> 
> -#define TEMP_VALID_LIFETIME        (7*86400)
> +#define TEMP_VALID_LIFETIME        (2*86400)
>   #define TEMP_PREFERRED_LIFETIME        (86400)
>   #define REGEN_MAX_RETRY            (3)
>   #define MAX_DESYNC_FACTOR        (600)
> diff --git include/net/if_inet6.h include/net/if_inet6.h
> index a01981d7108f..212eb278bda6 100644
> --- include/net/if_inet6.h
> +++ include/net/if_inet6.h
> @@ -190,7 +190,6 @@ struct inet6_dev {
>       int            dead;
> 
>       u32            desync_factor;
> -    u8            rndid[8];
>       struct list_head    tempaddr_list;
> 
>       struct in6_addr        token;
> diff --git net/ipv6/addrconf.c net/ipv6/addrconf.c
> index a11fd4d67832..da34dbbd0195 100644
> --- net/ipv6/addrconf.c
> +++ net/ipv6/addrconf.c
> @@ -135,8 +135,7 @@ static inline void addrconf_sysctl_unregister(struct 
> inet6_dev *idev)
>   }
>   #endif
> 
> -static void ipv6_regen_rndid(struct inet6_dev *idev);
> -static void ipv6_try_regen_rndid(struct inet6_dev *idev, struct 
> in6_addr *tmpaddr);
> +static void ipv6_gen_rnd_iid(struct in6_addr *addr);
> 
>   static int ipv6_generate_eui64(u8 *eui, struct net_device *dev);
>   static int ipv6_count_addresses(const struct inet6_dev *idev);
> @@ -432,8 +431,7 @@ static struct inet6_dev *ipv6_add_dev(struct 
> net_device *dev)
>           dev->type == ARPHRD_SIT ||
>           dev->type == ARPHRD_NONE) {
>           ndev->cnf.use_tempaddr = -1;
> -    } else
> -        ipv6_regen_rndid(ndev);
> +    }
> 
>       ndev->token = in6addr_any;
> 
> @@ -1306,12 +1304,11 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
>       in6_ifa_put(ifp);
>   }
> 
> -static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp,
> -                struct inet6_ifaddr *ift,
> -                bool block)
> +static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, bool block)
>   {
>       struct inet6_dev *idev = ifp->idev;
> -    struct in6_addr addr, *tmpaddr;
> +    struct in6_addr addr;
> +    struct inet6_ifaddr *ift;
>       unsigned long tmp_tstamp, age;
>       unsigned long regen_advance;
>       struct ifa6_config cfg;
> @@ -1321,14 +1318,7 @@ static int ipv6_create_tempaddr(struct 
> inet6_ifaddr *ifp,
>       s32 cnf_temp_preferred_lft;
> 
>       write_lock_bh(&idev->lock);
> -    if (ift) {
> -        spin_lock_bh(&ift->lock);
> -        memcpy(&addr.s6_addr[8], &ift->addr.s6_addr[8], 8);
> -        spin_unlock_bh(&ift->lock);
> -        tmpaddr = &addr;
> -    } else {
> -        tmpaddr = NULL;
> -    }
> +
>   retry:
>       in6_dev_hold(idev);
>       if (idev->cnf.use_tempaddr <= 0) {
> @@ -1351,8 +1341,8 @@ static int ipv6_create_tempaddr(struct 
> inet6_ifaddr *ifp,
>       }
>       in6_ifa_hold(ifp);
>       memcpy(addr.s6_addr, ifp->addr.s6_addr, 8);
> -    ipv6_try_regen_rndid(idev, tmpaddr);
> -    memcpy(&addr.s6_addr[8], idev->rndid, 8);
> +    ipv6_gen_rnd_iid(&addr);
> +
>       age = (now - ifp->tstamp) / HZ;
> 
>       regen_advance = idev->cnf.regen_max_retry *
> @@ -1417,7 +1407,6 @@ static int ipv6_create_tempaddr(struct 
> inet6_ifaddr *ifp,
>           in6_ifa_put(ifp);
>           in6_dev_put(idev);
>           pr_info("%s: retry temporary address regeneration\n", __func__);
> -        tmpaddr = &addr;
>           write_lock_bh(&idev->lock);
>           goto retry;
>       }
> @@ -2032,7 +2021,7 @@ static void addrconf_dad_stop(struct inet6_ifaddr 
> *ifp, int dad_failed)
>           if (ifpub) {
>               in6_ifa_hold(ifpub);
>               spin_unlock_bh(&ifp->lock);
> -            ipv6_create_tempaddr(ifpub, ifp, true);
> +            ipv6_create_tempaddr(ifpub, true);
>               in6_ifa_put(ifpub);
>           } else {
>               spin_unlock_bh(&ifp->lock);
> @@ -2329,42 +2318,39 @@ static int ipv6_inherit_eui64(u8 *eui, struct 
> inet6_dev *idev)
>       return err;
>   }
> 
> -/* (re)generation of randomized interface identifier (RFC 3041 3.2, 
> 3.5) */
> -static void ipv6_regen_rndid(struct inet6_dev *idev)
> +/* Generation of a randomized Interface Identifier 
> draft-ietf-6man-rfc4941bis, Section 3.3.1 */
> +static void ipv6_gen_rnd_iid(struct in6_addr *addr)
>   {
>   regen:
> -    get_random_bytes(idev->rndid, sizeof(idev->rndid));
> -    idev->rndid[0] &= ~0x02;
> +    get_random_bytes(&addr->s6_addr[8], 8);
> 
>       /*
> -     * <draft-ietf-ipngwg-temp-addresses-v2-00.txt>:
> -     * check if generated address is not inappropriate
> +     *  <draft-ietf-6man-rfc4941bis-08.txt>, Section 3.3.1:
> +     *  check if generated address is not inappropriate:
> +     *
> +     *  - Reserved IPv6 Interface Identifers
> +     * 
> (http://www.iana.org/assignments/ipv6-interface-ids/ipv6-interface-ids.xhtml) 
> 
>        *
> -     *  - Reserved subnet anycast (RFC 2526)
> -     *    11111101 11....11 1xxxxxxx
> -     *  - ISATAP (RFC4214) 6.1
> -     *    00-00-5E-FE-xx-xx-xx-xx
> -     *  - value 0
>        *  - XXX: already assigned to an address on the device
>        */
> -    if (idev->rndid[0] == 0xfd &&
> - 
> (idev->rndid[1]&idev->rndid[2]&idev->rndid[3]&idev->rndid[4]&idev->rndid[5]&idev->rndid[6]) 
> == 0xff &&
> -        (idev->rndid[7]&0x80))
> +
> +    /* Subnet-router anycast: 0000:0000:0000:0000 */
> +    if (!(addr->s6_addr32[2] | addr->s6_addr32[3]))
>           goto regen;
> -    if ((idev->rndid[0]|idev->rndid[1]) == 0) {
> -        if (idev->rndid[2] == 0x5e && idev->rndid[3] == 0xfe)
> -            goto regen;
> -        if 
> ((idev->rndid[2]|idev->rndid[3]|idev->rndid[4]|idev->rndid[5]|idev->rndid[6]|idev->rndid[7]) 
> == 0x00)
> -            goto regen;
> -    }
> -}
> 
> -static void  ipv6_try_regen_rndid(struct inet6_dev *idev, struct 
> in6_addr *tmpaddr)
> -{
> -    if (tmpaddr && memcmp(idev->rndid, &tmpaddr->s6_addr[8], 8) == 0)
> -        ipv6_regen_rndid(idev);
> +    /* IANA Ethernet block: 0200:5EFF:FE00:0000-0200:5EFF:FE00:5212
> +       Proxy Mobile IPv6:   0200:5EFF:FE00:5213
> +       IANA Ethernet block: 0200:5EFF:FE00:5214-0200:5EFF:FEFF:FFFF
> +    */
> +    if (ntohl(addr->s6_addr32[2]) == 0x02005eff && 
> (ntohl(addr->s6_addr32[3]) & 0Xff000000) == 0xfe000000)
> +        goto regen;
> +
> +    /* Reserved subnet anycast addresses */
> +    if (ntohl(addr->s6_addr32[2]) == 0xfdffffff && 
> ntohl(addr->s6_addr32[3]) >= 0Xffffff80)
> +        goto regen;
>   }
> 
> +
>   /*
>    *    Add prefix route.
>    */
> @@ -2544,7 +2530,7 @@ static void manage_tempaddrs(struct inet6_dev *idev,
>            * no temporary address currently exists.
>            */
>           read_unlock_bh(&idev->lock);
> -        ipv6_create_tempaddr(ifp, NULL, false);
> +        ipv6_create_tempaddr(ifp, false);
>       } else {
>           read_unlock_bh(&idev->lock);
>       }
> @@ -4539,7 +4525,7 @@ static void addrconf_verify_rtnl(void)
>                           ifpub->regen_count = 0;
>                           spin_unlock(&ifpub->lock);
>                           rcu_read_unlock_bh();
> -                        ipv6_create_tempaddr(ifpub, ifp, true);
> +                        ipv6_create_tempaddr(ifpub, true);
>                           in6_ifa_put(ifpub);
>                           in6_ifa_put(ifp);
>                           rcu_read_lock_bh();
> ---- cut here ----
> 
> Thanks,


-- 
Fernando Gont
SI6 Networks
e-mail: fgont@...networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ