lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAPA1RqC+wgi+fQ4A3GiwnLpGZ=5PfDF7kZUKkoYyXA2FN+4oyw@mail.gmail.com>
Date:   Fri, 13 Nov 2020 21:38:02 +0900
From:   Hideaki Yoshifuji <hideaki.yoshifuji@...aclelinux.com>
To:     Dmytro Shytyi <dmytro@...tyi.net>
Cc:     kuba <kuba@...nel.org>, kuznet <kuznet@....inr.ac.ru>,
        yoshfuji <yoshfuji@...ux-ipv6.org>,
        liuhangbin <liuhangbin@...il.com>, davem <davem@...emloft.net>,
        netdev <netdev@...r.kernel.org>,
        linux-kernel <linux-kernel@...r.kernel.org>,
        Hideaki Yoshifuji <hideaki.yoshifuji@...aclelinux.com>
Subject: Re: [PATCH net-next V4] net: Variable SLAAC: SLAAC with prefixes of
 arbitrary length in PIO

Hi,

2020年11月13日(金) 10:57 Dmytro Shytyi <dmytro@...tyi.net>:
>
> Variable SLAAC: SLAAC with prefixes of arbitrary length in PIO (randomly
> generated hostID or stable privacy + privacy extensions).
> The main problem is that SLAAC RA or PD allocates a /64 by the Wireless
> carrier 4G, 5G to a mobile hotspot, however segmentation of the /64 via
> SLAAC is required so that downstream interfaces can be further subnetted.
> Example: uCPE device (4G + WI-FI enabled) receives /64 via Wireless, and
> assigns /72 to VNF-Firewall, /72 to WIFI, /72 to VNF-Router, /72 to
> Load-Balancer and /72 to wired connected devices.
> IETF document that defines problem statement:
> draft-mishra-v6ops-variable-slaac-problem-stmt
> IETF document that specifies variable slaac:
> draft-mishra-6man-variable-slaac
>
> Signed-off-by: Dmytro Shytyi <dmytro@...tyi.net>
> ---
> diff -rupN net-next-5.10.0-rc2/net/ipv6/addrconf.c net-next-patch-5.10.0-rc2/net/ipv6/addrconf.c
> --- net-next-5.10.0-rc2/net/ipv6/addrconf.c     2020-11-10 08:46:01.075193379 +0100
> +++ net-next-patch-5.10.0-rc2/net/ipv6/addrconf.c       2020-11-13 02:30:25.552724864 +0100
> @@ -1315,10 +1322,14 @@ static int ipv6_create_tempaddr(struct i
>         struct ifa6_config cfg;
>         long max_desync_factor;
>         struct in6_addr addr;
> -       int ret = 0;
> +       int ret;
> +       struct in6_addr net_mask;
> +       struct in6_addr temp;
> +       struct in6_addr ipv6addr;
> +       int i;
>
>         write_lock_bh(&idev->lock);
> -
> +       ret = 0;
>  retry:
>         in6_dev_hold(idev);
>         if (idev->cnf.use_tempaddr <= 0) {
> @@ -1340,9 +1351,26 @@ retry:
>                 goto out;
>         }
>         in6_ifa_hold(ifp);
> -       memcpy(addr.s6_addr, ifp->addr.s6_addr, 8);
> -       ipv6_gen_rnd_iid(&addr);
>
> +       if (ifp->prefix_len == 64) {
> +               memcpy(addr.s6_addr, ifp->addr.s6_addr, 8);
> +               ipv6_gen_rnd_iid(&addr);
> +       } else if (ifp->prefix_len > 0 && ifp->prefix_len <= 128) {
> +               memcpy(addr.s6_addr32, ifp->addr.s6_addr, 16);
> +               get_random_bytes(temp.s6_addr32, 16);
> +
> +               /* tranfrom prefix len into mask */
> +               ipv6_plen_to_mask(ifp->prefix_len, &net_mask);
> +
> +               for (i = 0; i < 4; i++) {
> +                       /* network prefix */
> +                       ipv6addr.s6_addr32[i] = addr.s6_addr32[i] & net_mask.s6_addr32[i];
> +                       /* host id */
> +                       ipv6addr.s6_addr32[i] |= temp.s6_addr32[i] & ~net_mask.s6_addr32[i];
> +               }
> +
> +               memcpy(addr.s6_addr, ipv6addr.s6_addr32, 16);
>

ipv6_addr_copy() and then ipv6_addr_prefix_copy()

+       }
>         age = (now - ifp->tstamp) / HZ;
>
>         regen_advance = idev->cnf.regen_max_retry *
> @@ -2576,9 +2604,57 @@ int addrconf_prefix_rcv_add_addr(struct
>                                  u32 addr_flags, bool sllao, bool tokenized,
>                                  __u32 valid_lft, u32 prefered_lft)
>  {
> -       struct inet6_ifaddr *ifp = ipv6_get_ifaddr(net, addr, dev, 1);
> +       struct inet6_ifaddr *ifp = NULL;
>         int create = 0;
>
> +       if ((in6_dev->if_flags & IF_RA_VAR_PLEN) == IF_RA_VAR_PLEN &&
> +           in6_dev->cnf.addr_gen_mode != IN6_ADDR_GEN_MODE_STABLE_PRIVACY) {
> +               struct inet6_ifaddr *result = NULL;
> +               struct inet6_ifaddr *result_base = NULL;
> +               struct in6_addr net_mask;
> +               struct in6_addr net_prfx;
> +               struct in6_addr curr_net_prfx;
> +               bool prfxs_equal;
> +               int i;
> +
> +               result_base = result;
> +               rcu_read_lock();
> +               list_for_each_entry_rcu(ifp, &in6_dev->addr_list, if_list) {
> +                       if (!net_eq(dev_net(ifp->idev->dev), net))
> +                               continue;
> +
> +                       /* tranfrom prefix len into mask */
> +                       ipv6_plen_to_mask(pinfo->prefix_len, &net_mask);
> +                       /* Prepare network prefixes */
> +                       for (i = 0; i < 4; i++) {
> +                               /* Received/new network prefix */
> +                               net_prfx.s6_addr32[i] =
> +                                       pinfo->prefix.s6_addr32[i] & net_mask.s6_addr32[i];
> +                               /* Configured/old IPv6 prefix */
> +                               curr_net_prfx.s6_addr32[i] =
> +                                       ifp->addr.s6_addr32[i] & net_mask.s6_addr32[i];
> +                       }
> +                       /* Compare network prefixes */
> +                       prfxs_equal = 1;
> +                       for (i = 0; i < 4; i++) {
> +                               if ((net_prfx.s6_addr32[i] ^ curr_net_prfx.s6_addr32[i]) != 0)
> +                                       prfxs_equal = 0;
> +                       }

ipv6_prefix_equal()

> +                       if (prfxs_equal && pinfo->prefix_len == ifp->prefix_len) {
> +                               result = ifp;
> +                               in6_ifa_hold(ifp);
> +                               break;
> +                       }
> +               }
> +               rcu_read_unlock();
> +               if (result_base != result)
> +                       ifp = result;
> +               else
> +                       ifp = NULL;
> +       } else {
> +               ifp = ipv6_get_ifaddr(net, addr, dev, 1);
> +       }
> +
>         if (!ifp && valid_lft) {
>                 int max_addresses = in6_dev->cnf.max_addresses;
>                 struct ifa6_config cfg = {
> @@ -2781,9 +2857,35 @@ void addrconf_prefix_rcv(struct net_devi
>                                 dev_addr_generated = true;
>                         }
>                         goto ok;
> +               goto put;
> +               } else if (((in6_dev->if_flags & IF_RA_VAR_PLEN) == IF_RA_VAR_PLEN) &&
> +                         pinfo->prefix_len > 0 && pinfo->prefix_len <= 128) {
> +                       /* SLAAC with prefixes of arbitrary length (Variable SLAAC).
> +                        * draft-mishra-6man-variable-slaac
> +                        * draft-mishra-v6ops-variable-slaac-problem-stmt
> +                        * Contact: Dmytro Shytyi.
> +                        */
> +                       memcpy(&addr, &pinfo->prefix, 16);
> +                       if (in6_dev->cnf.addr_gen_mode == IN6_ADDR_GEN_MODE_STABLE_PRIVACY) {
> +                               if (!ipv6_generate_address_variable_plen(&addr,
> +                                                                        0,
> +                                                                        in6_dev,
> +                                                                        pinfo->prefix_len,
> +                                                                        true)) {
> +                                       addr_flags |= IFA_F_STABLE_PRIVACY;
> +                                       goto ok;
> +                       }
> +                       } else if (!ipv6_generate_address_variable_plen(&addr,
> +                                                                       0,
> +                                                                       in6_dev,
> +                                                                       pinfo->prefix_len,
> +                                                                       false)) {
> +                               goto ok;
> +                       }
> +               } else {
> +                       net_dbg_ratelimited("IPv6: Prefix with unexpected length %d\n",
> +                                           pinfo->prefix_len);
>                 }
> -               net_dbg_ratelimited("IPv6 addrconf: prefix with wrong length %d\n",
> -                                   pinfo->prefix_len);
>                 goto put;
>
>  ok:
> @@ -3264,6 +3366,118 @@ retry:
>         return 0;
>  }
>
> +static void ipv6_plen_to_mask(int plen, struct in6_addr *net_mask)
> +{
> +       int i, plen_bytes;
> +       char bit_array[7] = {0b10000000,
> +                            0b11000000,
> +                            0b11100000,
> +                            0b11110000,
> +                            0b11111000,
> +                            0b11111100,
> +                            0b11111110};
> +
> +       if (plen <= 0 || plen > 128)
> +               pr_err("Unexpected plen: %d", plen);
> +
> +       memset(net_mask, 0x00, sizeof(*net_mask));
> +
> +       /* We set all bits == 1 of s6_addr[i] */
> +       plen_bytes = plen / 8;
> +       for (i = 0; i < plen_bytes; i++)
> +               net_mask->s6_addr[i] = 0xff;
> +
> +       /* We add bits from the bit_array to
> +        * netmask starting from plen_bytes position
> +        */
> +       if (plen % 8)
> +               net_mask->s6_addr[plen_bytes] = bit_array[(plen % 8) - 1];
> +       memcpy(net_mask->s6_addr32, net_mask->s6_addr, 16);
> +}

I don't think we need this function.
If needed, we could introduce ipv6_addr_host() (like ipv6_addr_prefix())
in include/net/ipv6.h.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ