lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20200726214347.gezdwrn4l745vtsc@pali>
Date:   Sun, 26 Jul 2020 23:43:47 +0200
From:   Pali Rohár <pali@...nel.org>
To:     Alexander Aring <alex.aring@...il.com>
Cc:     "H. Peter Anvin" <hpa@...or.com>, netdev@...r.kernel.org
Subject: Re: IPv6: proxy_ndp to a network range

Hello, I would like to brisk up this thread again!

On Monday 09 May 2016 16:51:10 Alexander Aring wrote:
> Hi,
> 
> On Mon, May 09, 2016 at 01:46:13AM -0700, H. Peter Anvin wrote:
> > On May 9, 2016 1:39:08 AM PDT, Alexander Aring <alex.aring@...il.com> wrote:
> > >Hi,
> > >
> > >On Mon, May 09, 2016 at 01:06:51AM -0700, H. Peter Anvin wrote:
> > >> Hello,
> > >> 
> > >> There currently doesn't seem to be any support for proxy_ndp of a whole
> > >> network mask, as IPv4 proxy_arp seems to permit.
> > >> 
> > >> a) Am I actually correct in this, or am I just missing something important?
> > >> 

IPv4 proxy_arp has ioctl API for specifying subnet (not only one
address), but support for it was removed in Linux kernel version 2.1.79
which was released long time ago. And therefore since Linux kernel 2.2
support for specifying netmask different than 255.255.255.255 is not
possible anymore.

There is for example still HOWTO guide for old Linux kernel 2.0 how to
setup proxy arp with subnetting via "arp" command line utility.

https://www.tldp.org/HOWTO/Proxy-ARP-Subnet/setup.html

That "arp" utility in Linux distributions in recent versions still
supports specifying "netmask" argument, but recent kernel versions just
returns -EINVAL when netmask is specified to value different than
255.255.255.255.

I do not know what was the reason for removing this functionality...
Maybe there were some optimizations in lookup tables and authors decided
that such functionality was not used and did not reimplemented it? Just
guessing, who knows...

> > >> b) Is there a technical reason for this, or is it just a limitation of the
> > >> current implementation?
> > >> 

I think this is just limitation of the current implementation (for both
IPv4 and IPv6). I think that there were no interested users in such
functionality and therefore nobody implemented it (again for IPv4).

>From technical point of view, it is probably harder to have optimized
implementation as it would require some smart data structure with
support for merging and splitting radix trees for fast query if address
is in some proxy range or not.

> > >
> > >So far I know you can do this with the ndppd [0] userspace tool which listen
> > >NS/NA messages and do the ip -6 neigh add proxy for you.
> > >
> > >- Alex
> > >
> > >[0] https://github.com/DanielAdolfsson/ndppd
> > 
> > Sure, but it seems like a workaround for something that ought to be simpler?
> 
> I don't know if there exists a simpler way, but I would also be
> interested into that.
> 
> There are some people @linux-wpan which wants to plugin an ethernet cable
> and everything works out of the box to access the 6LoWPAN network over
> the ethernet connection without doing routing setup stuff.
> 
> "ndppd" was on my list to test for realize such setup. :-)

There are already more userspace daemons which are doing this IPv6 NDP
proxy either by forwarding packets or automatically answering NDP
replies.

So such setup / functionality is not rare and is already used by lot of
people.

> ---
> 
> For the simpler solution do you want to move the actually mechanism what
> "ndppd" does into the kernel?

Because we already have support for IPv4 ARP and IPv6 NDP proxies in
kernel, with limitation to one address, I think it make sense to extend
this implementation also for netmask/range.

Personally, I would like to see this feature in kernel (again). There
are lot of setup which requires NDP proxy in IPv6 world (e.g. when ISP
provides only link prefix, not routed prefix) or also in IPv4 world
(e.g. when ISP provides block of addresses via one PPPoE tunnel).

For IPv4 we already have existing (ioctl) API and existing utilities
which are using this API. But for IPv6 (and ideally also for IPv4) would
be needed to extend netlink API which is used by "ip neighbour" utility.


Alex and Peter, are you still interested in in-kernel IPv6 NDP proxy?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ