lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 20 May 2020 01:11:26 +0900
From:   Lorenzo Colitti <lorenzo@...gle.com>
To:     Bram Bonné <brambonne@...gle.com>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        Jakub Kicinski <kuba@...nel.org>,
        Hannes Frederic Sowa <hannes@...essinduktion.org>,
        Linux NetDev <netdev@...r.kernel.org>,
        Jeffrey Vander Stoep <jeffv@...gle.com>,
        Maciej Żenczykowski <maze@...gle.com>
Subject: Re: [PATCH] ipv6: Add IN6_ADDR_GEN_MODE_STABLE_PRIVACY_SOFTMAC mode

On Tue, May 19, 2020 at 9:08 PM Bram Bonné <brambonne@...gle.com> wrote:
> @@ -381,7 +382,8 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev)
>         timer_setup(&ndev->rs_timer, addrconf_rs_timer, 0);
>         memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf));
>
> -       if (ndev->cnf.stable_secret.initialized)
> +       if (ndev->cnf.stable_secret.initialized &&
> +           !ipv6_addr_gen_use_softmac(ndev))
>                 ndev->cnf.addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;

Looks like if stable_secret is set, then when the interface is brought
up it defaults to stable privacy addresses. But if
ipv6_addr_gen_use_softmac(), then this remains unset (which means...
EUI-64?) Any reason you don't set it to
IN6_ADDR_GEN_MODE_STABLE_PRIVACY_SOFTMAC in this case?

> @@ -6355,7 +6372,7 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write,
>                 for_each_netdev(net, dev) {
>                         struct inet6_dev *idev = __in6_dev_get(dev);
>
> -                       if (idev) {
> +                       if (idev && !ipv6_addr_gen_use_softmac(idev)) {
>                                 idev->cnf.addr_gen_mode =
>                                         IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
>                         }
> @@ -6363,7 +6380,9 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write,
>         } else {
>                 struct inet6_dev *idev = ctl->extra1;
>
> -               idev->cnf.addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
> +               if (idev && !ipv6_addr_gen_use_softmac(idev))
> +                       idev->cnf.addr_gen_mode =
> +                               IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
>         }

... and in these two as well?

Since you haven't changed the netlink code, I assume that this address
is going to appear to userspace as IFA_F_STABLE_PRIVACY. I assume
that's what we want here? It's not really "stable", it's only as
stable as the MAC address. Does the text of the RFC support this
definition of "stable"?

Can it happen that the MAC address when the device is up and an IPv6
address already exists? If so, what happens to the address? Will the
system create a second stable privacy address when the next RA
arrives? That seems bad. But perhaps this cannot happen.

Powered by blists - more mailing lists