lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 Sep 2021 15:20:51 +0900 From: Lorenzo Colitti <lorenzo@...gle.com> To: David Ahern <dsahern@...il.com> Cc: Rocco Yue <rocco.yue@...iatek.com>, "David S . Miller" <davem@...emloft.net>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, David Ahern <dsahern@...nel.org>, Jakub Kicinski <kuba@...nel.org>, Matthias Brugger <matthias.bgg@...il.com>, Linux NetDev <netdev@...r.kernel.org>, lkml <linux-kernel@...r.kernel.org>, linux-arm-kernel@...ts.infradead.org, linux-mediatek@...ts.infradead.org, wsd_upstream@...iatek.com, rocco.yue@...il.com, chao.song@...iatek.com, Kuohong Wang (王國鴻) <kuohong.wang@...iatek.com>, Zhuoliang Zhang (张卓亮) <zhuoliang.zhang@...iatek.com> Subject: Re: [PATCH] net: ipv6: don't generate link-local address in any addr_gen_mode David, sorry for reviving this discussion, but it felt better than starting a new thread about this. We (Android) added a vendor hook for this, but IMO that's the wrong solution and I think we'd still like to see this fixed the right way. > I think another addr_gen_mode is better than a separate sysctl. It looks > like IN6_ADDR_GEN_MODE_STABLE_PRIVACY and IN6_ADDR_GEN_MODE_RANDOM are > the ones used for RAs, so add something like: > > IN6_ADDR_GEN_MODE_STABLE_PRIVACY_NO_LLA, > IN6_ADDR_GEN_MODE_RANDOM_NO_LLA, I think the real requirement here (which wasn't clear in this thread) is that the network needs to control the interface ID (i.e., the bottom 64 bits) of the link-local address, but the device is free to use whatever interface IDs to form global addresses. See: https://www.etsi.org/deliver/etsi_ts/129000_129099/129061/15.03.00_60/ts_129061v150300p.pdf How do you think that would best be implemented? 1. The actual interface ID could be passed in using IFLA_INET6_TOKEN, but there is only one token, so that would cause all future addresses to use the token, disabling things like privacy addresses (bad). 2. We could add new IN6_ADDR_GEN_MODE_STABLE_PRIVACY_LL_TOKEN, IN6_ADDR_GEN_MODE_RANDOM_LL_TOKEN, etc., but we'd need to add one such mode for every new mode we add. 3. We could add a separate sysctl for the link-local address, but you said that per-device sysctls aren't free. 4. We could change the behaviour so that if the user configures a token and then sets IN6_ADDR_GEN_MODE_*, then we use the token only for the link-local address. But that would impact backwards compatibility. Thoughts? Cheers, Lorenzo
Powered by blists - more mailing lists