lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAJU8_nW=+PdWri41rJEivG_+_ckOmVncZ8jw+e3zvHHx_Gg5eg@mail.gmail.com>
Date: Wed, 31 Jul 2024 07:52:39 -0400
From: Kyle Rose <krose@...se.org>
To: Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org
Subject: Re: IPv6 max_addresses?

On Wed, Jul 31, 2024, 4:08 AM Paolo Abeni <pabeni@...hat.com> wrote:
>
> On 7/31/24 02:05, Kyle Rose wrote:
> > max_addresses, how does it work?
> >
> > $ ip -6 addr show scope global temporary dev sfp0 | grep inet6 | wc -l
> > 21
> > $ sysctl -ar 'sfp0.*max_add'
> > net.ipv6.conf.sfp0.max_addresses = 16
> >
> > They seem to be growing without bound. What's supposed to be happening here?
>
>  From the related sysctl documentation:
>
> max_addresses - INTEGER
>          Maximum number of autoconfigured addresses per interface.
>
>
> 'max_address' only applies to the ipv6 assigned via prefix delegation,
> not to address explicitly assigned from the user-space via the `ip` tool.

These are all autoconfigured (SLAAC) privacy addresses from the same
prefix. (I don't think you mean prefix delegation, which is something
else: presumably you mean PIO, or prefix information option, included
in router advertisements. This machine is not a router.)

What is the mechanism by which old deprecated addresses are supposed
to get culled? Until now, I would have imagined it was some kind of
FIFO, but I also seem to recall sometime in the past valid_lft for a
temporary address continuing to march toward 0, after which presumably
it went away; now, valid_lft seems to be updated for every address,
even deprecated ones, to match what is received in the PIO from router
advertisements, so they never reach 0. And I don't know if there is
any other means by which they might get removed.

Up to 25 as of the writing of this response:

4: sfp0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP
group default qlen 1000
    inet6 2601:XXXX:XXXX:XXXX:c37c:cad6:ad09:b296/64 scope global
temporary dynamic
       valid_lft 6974sec preferred_lft 148sec
    inet6 2601:XXXX:XXXX:XXXX:71ae:3a57:b823:f83b/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:a6db:6a36:1ebc:af96/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:6a99:7d72:af9f:65d1/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:52fe:9140:f9f9:99e3/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:66ed:a8ba:508e:9bc6/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:e428:6b1c:4e2:532/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:9de1:cd15:6727:c1a6/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:df23:336d:d4d9:a3be/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:36e4:b05e:cf68:6956/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:2f56:1ac1:a835:2291/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:24ae:893d:c7c9:a6d3/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:7be5:d00a:2c4:ca2d/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:f392:43:eeed:adb9/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:e0b1:e8b2:96bc:2d37/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:e6e3:5f1e:2674:4da1/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:5a0e:576d:544a:151f/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:689f:c19f:85f4:9c10/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:2008:988e:316:113a/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:415a:8dbf:997d:e36/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:d07a:9db9:a3ed:c7a6/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:2f70:b871:4cc8:7add/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:6481:3fd2:69e:5875/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:7861:f451:a5ab:8671/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec
    inet6 2601:XXXX:XXXX:XXXX:5ad9:184:856d:8ee3/64 scope global
temporary deprecated dynamic
       valid_lft 6974sec preferred_lft 0sec

For reference, the address assignment (this one via PD from my
provider) for the associated prefix on the router:

5: sfp0.10@...0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc
noqueue state UP group default qlen 1000
    inet6 2601:XXXX:XXXX:XXXX::1/64 scope global dynamic noprefixroute
       valid_lft 6843sec preferred_lft 6843sec

Kyle

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ