Discussion:
[PATCH] Setting IPv6 route advertisement accepting interfaces
(too old to reply)
Tonnerre LOMBARD
2009-07-12 20:49:52 UTC
Permalink
Salut,

This is the first part of my series of patches concerning IPv6 route
advertisements. It simply moves the variable deciding whether or not
to accept IPv6 route advertisements on a specific interface to be
specific to that interface.

A second patch is going to separate the setting of when to accept
a default route (which is why there are more bits left on the
autoconf integer. However, it would have been really cool had there
still been 2 bits of space left on if_flags.)

Either way, here's it. If your mailer doesn't like PGP signed
attachments, go to
http://www.netbsd.org/~tonnerre/patches/src/2009/netinet6-rtadv-per-interface.patch
to find a copy of said patch.

Any opinions?

Tonnerre
Hiroki Sato
2009-07-12 21:36:22 UTC
Permalink
Tonnerre LOMBARD <***@bsdprojects.net> wrote
in <***@jules.pas-un-geek-en-tant-que-tel.ch>:

to> Salut,
to>
to> This is the first part of my series of patches concerning IPv6 route
to> advertisements. It simply moves the variable deciding whether or not
to> to accept IPv6 route advertisements on a specific interface to be
to> specific to that interface.
to>
to> A second patch is going to separate the setting of when to accept
to> a default route (which is why there are more bits left on the
to> autoconf integer. However, it would have been really cool had there
to> still been 2 bits of space left on if_flags.)
to>
to> Either way, here's it. If your mailer doesn't like PGP signed
to> attachments, go to
to> http://www.netbsd.org/~tonnerre/patches/src/2009/netinet6-rtadv-per-interface.patch
to> to find a copy of said patch.

I don't think adding a new flag is reasonable because there is a
per-interface flag to control accepting RA (ND6_IFF_ACCEPT_RTADV)
already.

-- Hiroki
Tonnerre LOMBARD
2009-07-12 22:11:39 UTC
Permalink
Salut,
Post by Hiroki Sato
I don't think adding a new flag is reasonable because there is a
per-interface flag to control accepting RA (ND6_IFF_ACCEPT_RTADV)
already.
How would one set that flag? I've only seen it being set in one
single place which had no attachment whatsoever to any type of
logic.

Tonnerre
Hiroki Sato
2009-07-12 23:01:27 UTC
Permalink
Tonnerre LOMBARD <***@netbsd.ch> wrote
in <***@jules.pas-un-geek-en-tant-que-tel.ch>:

to> Salut,
to>
to> On Mon, Jul 13, 2009 at 06:36:22AM +0900, Hiroki Sato wrote:
to> > I don't think adding a new flag is reasonable because there is a
to> > per-interface flag to control accepting RA (ND6_IFF_ACCEPT_RTADV)
to> > already.
to>
to> How would one set that flag? I've only seen it being set in one
to> single place which had no attachment whatsoever to any type of
to> logic.

Can be set by using ndp(8) and the flag is used in nd6_ra_input().

I fully agree with your idea and having such a per-interface flag is
the way to go since accepting RAs should be controlled in that way on
a system with multiple interfaces. It is supposed that
ND6_IFF_ACCEPT_RTADV can be used, not by adding a protocol-dependent
flag to struct ifnet (we should avoid it if we can) , but we need
some more change because it is not fully implemented.

Actually I have a similar patchset to yours in another way:

1) Add a part of ndp(8) functionality to ifconfig(8). We have the
ndp(8) utility for changing IPv6 NDP parameters but it is more
reasonable that the per-interface parameters are handled by
ifconfig(8) for consistency. More specifically, PERFORMNUD,
ACCEPT_RTADV, DISABLED, and default interface (ndp -I) should be
done by ifconfig(8) like "ifconfig le0 inet6 -accept_rtadv".

2) Use the existing sysctl net.inet6.ip6.accept_rtadv as the default
value of the corresponding per-IF flags, not a global knob. The
accept_rtadv is set as 0 by default.

3) Add (ip6.fowarding == 0 && ND6_IFF_ACCEPT_RTADV) check to
nd6_ra_input(). The other similar checks for if the node is
router or if the interface has ND6_IFF_ACCEPT_RTADV have been made
consistent wherever possible. Especially when (ip6.forwarding ==
1) is true, ignore RAs regardless of ND6_IFF_ACCEPT_RTADV.

4) Remove IPV6CTL_ACCEPT_RTADV check in rtsold(8).

What do you think of this way? I am using the patchset against a bit
old source tree for some time. I can send it to you for the latest
source tree in a couple of days.

-- Hiroki
Tonnerre LOMBARD
2009-07-12 23:22:03 UTC
Permalink
Salut,
Post by Hiroki Sato
1) Add a part of ndp(8) functionality to ifconfig(8). We have the
ndp(8) utility for changing IPv6 NDP parameters but it is more
reasonable that the per-interface parameters are handled by
ifconfig(8) for consistency. More specifically, PERFORMNUD,
ACCEPT_RTADV, DISABLED, and default interface (ndp -I) should be
done by ifconfig(8) like "ifconfig le0 inet6 -accept_rtadv".
Well, it's not as easy as adding flags, but yeah. Alternatively,
we should use ndp in the startup scripts.
Post by Hiroki Sato
2) Use the existing sysctl net.inet6.ip6.accept_rtadv as the default
value of the corresponding per-IF flags, not a global knob. The
accept_rtadv is set as 0 by default.
I wonder if that sysctl should be there at all. We should possibly
eliminate all related sysctls entirely if they're not required. ;-)

(Yeah, I know I was doing the opposite.)
Post by Hiroki Sato
3) Add (ip6.fowarding == 0 && ND6_IFF_ACCEPT_RTADV) check to
nd6_ra_input(). The other similar checks for if the node is
router or if the interface has ND6_IFF_ACCEPT_RTADV have been made
consistent wherever possible. Especially when (ip6.forwarding ==
1) is true, ignore RAs regardless of ND6_IFF_ACCEPT_RTADV.
I'm not sure a global ip_forwarding ban is the right step either.
I mean, what's the problem with having a system which accepts a
default route on em0 and routes for people on em1?

This concept has holes

Post by Hiroki Sato
4) Remove IPV6CTL_ACCEPT_RTADV check in rtsold(8).
rtsold is a beast I'm turning my mind to later when I'm implementing
RFC5006 support (correctly). I'm somewhat tired of abusing mdns.
Post by Hiroki Sato
What do you think of this way? I am using the patchset against a bit
old source tree for some time. I can send it to you for the latest
source tree in a couple of days.
Yeah, why not? Sounds great.

But another question, do you have any existent procedures for
differenciating between "Calculate an address on that interface"
and "accept default routes on that interface"?

I don't mean default route preference but complete denial to learn
default routes on an interface.

Tonnerre
Steven M. Bellovin
2009-07-12 21:45:11 UTC
Permalink
On Sun, 12 Jul 2009 22:49:52 +0200
Post by Tonnerre LOMBARD
Salut,
This is the first part of my series of patches concerning IPv6 route
advertisements. It simply moves the variable deciding whether or not
to accept IPv6 route advertisements on a specific interface to be
specific to that interface.
A second patch is going to separate the setting of when to accept
a default route (which is why there are more bits left on the
autoconf integer. However, it would have been really cool had there
still been 2 bits of space left on if_flags.)
Either way, here's it. If your mailer doesn't like PGP signed
attachments, go to
http://www.netbsd.org/~tonnerre/patches/src/2009/netinet6-rtadv-per-interface.patch
to find a copy of said patch.
This is a good step, but I think that considerably more control is
needed, either at this level or a level above. I'd like to be able to
filter advertisements by source and prefix. For example, if my site
has native IPv6, I'd like to be able to exclude 2002:xxx -- 6to4 --
which are sometimes emitted by personal machines that I don't want to
route through.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Tonnerre LOMBARD
2009-07-12 22:28:29 UTC
Permalink
Salut,
Post by Steven M. Bellovin
This is a good step, but I think that considerably more control is
needed, either at this level or a level above. I'd like to be able to
filter advertisements by source and prefix. For example, if my site
has native IPv6, I'd like to be able to exclude 2002:xxx -- 6to4 --
which are sometimes emitted by personal machines that I don't want to
route through.
That's well out of scope of my current works though; also, I'm
not sure if e.g. dhclient can do something like that for IPv4
so far.

(Heh, and I don't even care right now.)

Tonnerre
Steven M. Bellovin
2009-07-12 22:40:21 UTC
Permalink
On Mon, 13 Jul 2009 00:28:29 +0200
Post by Tonnerre LOMBARD
Salut,
Post by Steven M. Bellovin
This is a good step, but I think that considerably more control is
needed, either at this level or a level above. I'd like to be able
to filter advertisements by source and prefix. For example, if my
site has native IPv6, I'd like to be able to exclude 2002:xxx --
6to4 -- which are sometimes emitted by personal machines that I
don't want to route through.
That's well out of scope of my current works though; also, I'm
not sure if e.g. dhclient can do something like that for IPv4
so far.
I don't think so, but because of the ad hoc ways of getting on v6, I
think there's a more serious problem. (Besides, system administrators
are more accustomed to looking for v4 misbehavior. I've tried telling
the network folks on my campus that they need to be thinking about v6
log files *now*...)
Post by Tonnerre LOMBARD
(Heh, and I don't even care right now.)
Fair enough.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
David Young
2009-07-13 16:01:31 UTC
Permalink
Post by Tonnerre LOMBARD
Salut,
This is the first part of my series of patches concerning IPv6 route
advertisements. It simply moves the variable deciding whether or not
to accept IPv6 route advertisements on a specific interface to be
specific to that interface.
A second patch is going to separate the setting of when to accept
a default route (which is why there are more bits left on the
autoconf integer. However, it would have been really cool had there
still been 2 bits of space left on if_flags.)
Either way, here's it. If your mailer doesn't like PGP signed
attachments, go to
http://www.netbsd.org/~tonnerre/patches/src/2009/netinet6-rtadv-per-interface.patch
to find a copy of said patch.
Any opinions?
Tonnerre
? tooldir.NetBSD-4.0-sparc64
? tooldir.NetBSD-4.0_wrstuden_fixsa_t1-sparc64
? sys/arch/amd64/conf/JULES
Index: etc/rc.d/network
===================================================================
RCS file: /cvsroot/src/etc/rc.d/network,v
retrieving revision 1.57.2.1
diff -u -r1.57.2.1 network
--- etc/rc.d/network 18 May 2009 19:30:48 -0000 1.57.2.1
+++ etc/rc.d/network 12 Jul 2009 19:57:48 -0000
@@ -127,7 +127,7 @@
/sbin/route -q add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
/sbin/sysctl -qw net.inet6.ip6.forwarding=0
- /sbin/sysctl -qw net.inet6.ip6.accept_rtadv=0
+ /sbin/sysctl -qw net.inet6.ip6.accept_rtadv.default=0
There are scripts that rely on that sysctl being at its current path.
Please don't break backwards compatibility in this way.
Post by Tonnerre LOMBARD
Index: sys/net/if.h
===================================================================
RCS file: /cvsroot/src/sys/net/if.h,v
retrieving revision 1.140
diff -u -r1.140 if.h
--- sys/net/if.h 24 Oct 2008 17:07:33 -0000 1.140
+++ sys/net/if.h 12 Jul 2009 19:59:05 -0000
@@ -275,6 +275,7 @@
struct pfil_head if_pfil; /* filtering point */
uint64_t if_capabilities; /* interface capabilities */
uint64_t if_capenable; /* capabilities enabled */
+ int if_autoconf; /* IPv6 autoconfiguration */
union {
void * carp_s; /* carp structure (used by !carp ifs) */
struct ifnet *carp_d;/* ptr to carpdev (used by carp ifs) */
@@ -290,6 +291,7 @@
void *if_afdata[AF_MAX];
struct mowner *if_mowner; /* who owns mbufs for this interface */
+ struct sysctllog *if_clog;
void *if_agrprivate; /* used only when #if NAGR > 0 */
Attach information to the ifnet that is private to a protocol domain
using the dom_ifattach/dom_ifdetach hooks in struct domain.

Dave
--
David Young OJC Technologies
***@ojctech.com Urbana, IL * (217) 278-3933

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Tonnerre LOMBARD
2009-07-14 17:08:24 UTC
Permalink
Salut,
Post by Tonnerre LOMBARD
Either way, here's it. If your mailer doesn't like PGP signed
attachments, go to
http://www.netbsd.org/~tonnerre/patches/src/2009/netinet6-rtadv-per-interface.patch
to find a copy of said patch.
Updated patch, now using the preexisting flags. Seems to work so far
on my workstation.

Tonnerre
YAMAMOTO Takashi
2009-08-31 13:07:56 UTC
Permalink
hi,
@@ -176,7 +176,8 @@
* we won't accept RAs by default even if we set ND6_IFF_ACCEPT_RTADV
* here.
*/
@@ -209,8 +210,6 @@
* the system-wide variable allows the acceptance, and
* per-interface variable allows RAs on the receiving interface.
*/
i guess you need to update these comments.

doesn't this change make the sysctl almost useless?
ie. you need to configure it before interfaces are attached, don't you?

i'm not sure what problem you are trying to solve.
wasn't it possible to control it per-interface by setting
the sysctl node to 1 and tweak the accept_rtadv flag by ndp(8)?

YAMAMOTO Takashi

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...