Discussion:
Temporary IPv6 addresses vs. netgroups
(too old to reply)
Robert Elz
2013-01-25 13:06:21 UTC
Permalink
Date: Tue, 22 Jan 2013 19:43:24 -0500 (EST)
From: Mouse <***@Rodents-Montreal.ORG>
Message-ID: <***@Sparkle.Rodents-Montreal.ORG>

| Unfortunately I think it's the only solution, not only just because we
| don't have any APIs more sophisicated but because it's not an easy
| problem.

Not easy to solve every case, that is perhaps, not easy to achieve
perfection, I agree - and the option of binding a particular source
address from the application would always be there. But for most
applications, a rather simpler API that the application can use would
solve enough of the problem (what typical apps actually need, most of the
time) that it would be useful I think.

| Perhaps, but "type" is somewhat ill-defined here. One application's
| idea of address type doesn't necessarily match the next's.

If you are thinking that by "type" I meant a simple integer list of
interface types, and you pick one, then I entirely agree. I didn't
get into that level of detail in the last message (and I won't in this
one) but the API that was planned (some students of mine did it as a
project a couple of years ago - unfortunately, they didn't implement
enough of it to ship it out, but they did do a reasonable design) was
more complicated than that, while still being quite easy to use.

| One may
| prefer "site-local reachable over this VPN tunnel" over "globally
| routed" over "other site-local", as a simple example that is unlikely
| to match any notion of "type" that's likely to make it into an API.

Aside from possibly the first of those criteria (which would make all of
this be a fairly unusual application) and even perhaps with that (aside
from the "site-local" part, as those are deprecated now, but if that was
just one of the local/unroutable addrs) then the API designed could handle
all of that (for the VPN part to work, as it was designed, that VPN local
address would need to be in a unique local addr scope - that is, the API
allowed address scopes (local/global/...) and scope id's (the equiv of
%ex0 but in the numeric internal form) to be specified, but not specific
VPNs (or prefixes) - an app with that kind of requirement probably would
need to use bind().

That is, the API was designed with the aim that to use it, the app would
not know (or care) what actual addresses, or prefixes, happened to exist,
and would just be specifying a type of address that it preferred, if
available (and if not, then next best is, and if not available, then...)

That would allow most app designers to write configuration free code that
would normally work, and work well, and only need to get to config options,
and more, in rare cases. So, in the actual case that caused a problem
here, the nfs client code could simply request stable addresses if
available (and either fall back on temp addrs if that's all the client
has, or fail in that case, at its choice) and it would just work,
regardless of whether the "prefer temp addrs" sysctl (global switch) was
set or not.

| Trouble is, that's suitable only when the kernel's preference rules
| match the application's. Since different applications want different
| rules, the application has to control local address selection somehow.

Yes, that's the point - to allow the application to specify its preference,
somehow, and to solve enough of the problem to be useful for the vast
majority of apps (and better than a single global "use temp addrs" switch).

Attempting to achieve perfection, and refusing anything that fails to
achieve it, just means never making any forward progress. If that had
been the criteria, we'd never have had the socket interface at all, as
it is certainly not perfect. Yet it remains useful, and of immense
benefit, and works for almost everyone - even as originally designed.
Its enhancements over the years have improved it, and more enhancements
can make it even better. It still won't be perfect.

| And I think we agree on that much. But it seems to me that an API that
| classifies addresses into some small number of types based on
| set-in-stone rules is going to be useful to too small a subset of
| applications to make it worth the various costs of adding it.

Yes, so let's not do that. Yet, believe it or not, the vast majority
of applications could actually use that kind of function, and find it
useful, even in a relatively simple design. Almost no apps (but only
almost) actually want or need to select one particular VPN, and other
stuff like that. But a global temp/stable switch (which is where this
discussion started - on how that doesn't work for NFS) isn't good enough
either. It would be almost enough to add a per socket sockopt that
allowed that switch to be set for each socket (with the default being the
global switch) - most apps need no more than that. But some really want
to use stable addresses (like nfs, which was the issue in the original
message on this thread, and MTAs, to avoid excessive grey listing, and spam
avoidance issues), whereas others (like browsers) really want to use
temporary addresses (for the reasons that address form was created).

Just adding that (a temp/stable sockopt) would be better than we have now,
though it doesn't add anything about scoped address use (when should local
addresses be used rather than global) and doesn't add anything about CGAs
or other more specialised address types that might exist.

| I would prefer to do this in userland,

Like everything else, we need a good API. Then whether it is implemented
in userland, or in the kernel, becomes an implementation decision, rather
than a design argument.

| with a library routine that fetches the list of addresses and selects
| one based on whatever criteria it wants,

That could work, except right now we're still missing the vital
information to make it work - which is where the address came from.
And since addresses can be autoconfigured (entirely inside the kernel)
the kernel interface needs to be able to at least provide that information.

So, I think we certainly need to add something to the kernel, so addresses
have some type information associated with them. Whether the code that
uses it actually runs inside the kernel, or the info ie exported (along
with the addresses themselves, and routing info, so the user routine can work
out which outgoing interface the kernel will be using) is something for
later discussion, and perhaps implementation experimentation.

| maybe even involving an application-provided callback.

But when things get that complex, that such a callback would be
useful, I think (at least for a basic API suitable for most apps)
that things have gotten far too complicated. Perhaps an advanced
API might allow that, but I think we need to get enough experience
with something simpler, so we know what really is required, and what
is just useful for one installation of one application, and no-one
else, and allow the latter to be handled via bind().

| And, shouldn't this be on tech-net?

Yes, probably, so I have cc'd this reply there (for anyone on tech-net
who does not read tech-kern, there are, I think, 4 messages in this thread
on tech-kern only that you might want to read, if this message does not make
the context clear enough.)

I have also (attempted to) arrange for replies to go to tech-net alone.
Unfortunately, 99% of mailers are so broken, that this is unlikely to work
(so people, if you are going to reply, please check the address you're
sending to, tech-net is all that is required.)

kre


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2013-01-26 10:40:43 UTC
Permalink
Post by Robert Elz
Date: Tue, 22 Jan 2013 19:43:24 -0500 (EST)
| Unfortunately I think it's the only solution, not only just because we
| don't have any APIs more sophisicated but because it's not an easy
| problem.
Not easy to solve every case, that is perhaps, not easy to achieve
perfection, I agree - and the option of binding a particular source
address from the application would always be there. But for most
applications, a rather simpler API that the application can use would
solve enough of the problem (what typical apps actually need, most of the
time) that it would be useful I think.
I don't think that the API needs to change. For the most part,
the way in which the various networking APIs is sufficient for
what we need to do.

The problem at hand is that the multitude of addresses available
on a host now means that applications need to either make educated
guesses (for example, putting 169.254 at the bottom of the list to
choose) or allow users to manually configure which address they
want to use with a particular application. For large applications,
this isn't unreasonable but for utilities such as mount, well we
need a better way for them to work.

In the original case of using mount, it isn't just one mount call
or socket that needs to use a specific IP address/interface but
a whole host of them. Thus what's required is a way to influence
the networking environment of a command all of its successors.

Darren



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Ignatios Souvatzis
2013-01-28 08:37:04 UTC
Permalink
Hi,
Post by Darren Reed
The problem at hand is that the multitude of addresses available
on a host now means that applications need to either make educated
guesses (for example, putting 169.254 at the bottom of the list to
choose) or allow users to manually configure which address they
want to use with a particular application. For large applications,
this isn't unreasonable but for utilities such as mount, well we
need a better way for them to work.
Somebody claimed earlier that there are a lot of different address
classes, but I think this is mostly not relevant.

First, some thoughts about decision lines for different cases.

a) link-local, new-site-local vs. global addresses, outgoing connections,

this should normally sorted out via automatic source-address selection;

Use your own address of the same class as the peer address, or more
general, use your address that matches most with the peer address.

b) link-local, new-site-local vs. global addresses, incoming connections:

easy - you only ever will get connections to addresses that can reply. If
not, yell at^W^Wtell your network administrator (or maybe the peer one's).

c) auto- or manually- assigned vs. temporary addresses, incoming
connections. Obviously, you can normally not advertize services
at temporary addresses, so your services should bind to well-known
ones, whatever method is used. Only excuse would be when you use
some (probably link-local) advertizing system, like with NMB on
Appletalk, or with SLP / Zeroconf on IP.

d) outgoing connections: here we have a problem. Some connections want to
use temporary addresses for privacy reasons; some connectiosn want to use
well-known addresses for sort-of-authentication reasons. I think that you
can often get away with using some match-length offset to decide; (e.g.
within own department, use assigned addresses); else you'd have to decide
by application type, or by explicit configuration.

Yes, i've needed one or other type of configuration in real life.

d) is what triggered this discussion. I've seen mishandling of c) and d)
on some OSes.

Now, as for deciding what to use for outgoing connections: I think, if
source address selection is doing best-match, you'll only ever have
ambiguities with assigned vs. temporary addresses. In this case, a flag
"avoid temporary addresses for this connection" should be enough (if
the kernel knows about temporaries).

Regards,
-is

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Elz
2013-01-28 12:07:36 UTC
Permalink
Date: Mon, 28 Jan 2013 09:37:04 +0100
From: Ignatios Souvatzis <***@cs.uni-bonn.de>
Message-ID: <***@cs.uni-bonn.de>

| Somebody claimed earlier that there are a lot of different address
| classes, but I think this is mostly not relevant.

It really does depend upon the application, and the use of the application,
and the requirements of the local environment - but for most purposes, and
most uses, I agree with you - a relatively simple solution to the
underlying problem might provide enough of a solution that the relatively
few unhandled cases might be acceptably handled by being able to manually
configure the source address to use, and bind() (or whatever other app
level mechanism or library interface may be implemented to handle that.)

| a) link-local, new-site-local vs. global addresses, outgoing connections,

| Use your own address of the same class as the peer address, or more
| general, use your address that matches most with the peer address.

That isn't always going to be sufficient - usually the peer address is
going to come from the DNS, and the DNS should have only global addresses,
not local (unroutable) ones (though v6 local addresses are much less of
a problem than v4 1924 addresses for this.)

The effect of that is that local addresses don't get used much, which would
mean that they don't bother being configured, and so are used even less.

One way to avoid that, is for applications where using local addresses makes
sense (particularly those with long life connections - local addresses guard
against address renumbering, which doesn't really matter if the connection is
finished in under a minute) is to initiate the connection from a local address,
with a very short timer on the SYN reply (20-30 ms). And probably a fairly
low hop limit. If that works, then the destination is local, and some app
dependentent method (unless we invent a better general way) can discover
the destination's local address, and we can use that (and the total connection
setup delay is well under 1/10 of a second - for a connection expected to
run for many minutes, or hours, so this startup delay is harmless.)

If there's no reply within the time limit, we assume the dest is not local,
and simply try again using global addresses (whether it is just too far
away and the RTT is greater than we allow, or too many hops, or the dest
cannot get packets back to our local addr doesn't matter - any of those
indicate "not local enough".)

To make that work, the app needs to be able to request a source address that
doesn't match the type of the dest addr, so simply implementing a "match it
up" rule is not adequate. We need more than that.

| b) link-local, new-site-local vs. global addresses, incoming connections:

Yes, easy, for replying to any incoming packets we should always use the
address that the peer sent to, as our source address - this one is not an
issue.

| c) auto- or manually- assigned vs. temporary addresses, incoming
| connections.

Most apps here don't care - and any local address that the peer chooses to
send to is acceptable - but for those that do, whatever solution is found
for handling outgoing connections should be adaptable for being a better
filter on incoming connections than either "any" or "this particular addr"
which are our only two options now.

| d) outgoing connections: here we have a problem.

Agreed, this is the one we need to handle.

| I think that you can often get away with using some match-length offset
| to decide; (e.g. within own department, use assigned addresses);

There are two issues here, and it is important not to confuse them, or
we get a mess (even though they're obviously related and need to be considered
together). One is how the application decides what (type of, or specific)
address it should be using. The other is how it conveys that decision to
whatever it is that actually picking the specific source address.

If I have it right, the Mouse's suggestion was to make the latter of those
as close to "what we have now" as possible, by having the app always do all
the selection, right down to picking the specific addr (most probably using a
library routine) after which the "communicate" part is simply bind().

I don't think that's the right way, as picking a specific address means
(aside from getting all the available ones to select from, and being able
to know what types they are) we have to have made the outgoing interface
selection first, and that's not something that userland typically does
today, and that isn't a change I think we need to be making to the normal
operating procedures. Picking the right specific address doesn't work (in
most cases) without knowing which outgoing interface is going to be used,
and while that information could all be exported to userland, and apps
could do what the kernel now does, I don't think that's the right solution.

If I'm right about that, then we need some kind of new sockopt (or similar)
to specify some kind of preference to the kernel.

| Now, as for deciding what to use for outgoing connections: I think, if
| source address selection is doing best-match, you'll only ever have
| ambiguities with assigned vs. temporary addresses.

If those were the only address types, then sure - and for now, in NetBSD
(if we ignore the local address issue) then that is it. But for v6 there
are also CGAs, that some applications want (and those can have the
characteristics of either being stable or temporary). Even if the
first attempt at a solution for this problem doesn't concern itself with
any of those issues, it would be good to plan the interface in a way that
it can be extended fairly easily if that ever seems like the right thing
to do.

And we certainly need a way to have the kernel know about address types
(as long as it remains the kernel's responsibility to select the source
addr most of the time) so we also need an API in the address setting set
(ie: interface ioctls) that will allow that to be done as well.

Lastly ...

***@NetBSD.org said:
| In the original case of using mount, it isn't just one mount call or socket
| that needs to use a specific IP address/interface but a whole host of them.
| Thus what's required is a way to influence the networking environment of a
| command all of its successors.

That's a different issue I think - it may very well be useful to be able
to define some kind of hierarchy of related sockets, and have default
options that can be changed for everything below some point in this
hierarchy. For that to be useful for source address selection, first
we need a way to handle that for the simple, just this socket, case.
Then, if we have such a mechanism for one socket, it, and all the other
socket options that can be set, could perhaps be set for a whole group
of (current and future) sockets, using whatever grouping mechanism is
designed later.

kre



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2013-01-31 10:57:17 UTC
Permalink
Post by Robert Elz
...
That's a different issue I think - it may very well be useful to be able
to define some kind of hierarchy of related sockets, and have default
options that can be changed for everything below some point in this
hierarchy. For that to be useful for source address selection, first
we need a way to handle that for the simple, just this socket, case.
Then, if we have such a mechanism for one socket, it, and all the other
socket options that can be set, could perhaps be set for a whole group
of (current and future) sockets, using whatever grouping mechanism is
designed later.
I wonder if focusing on addresses is the correct thing to do.

Should we in fact be focusing on network interfaces instead?

For example, if I'm connected to a LAN then I probably want
to use that network interface in preference to anything else.

And I wonder if a way to achieving that is in the first instance
to use a metric other than 0?

The idea being that the WiFi card drivers would use a metric of
say 53, ethernet 7 and so on (the numbers are just random choice
and chosen to express nothing more than preference for the lower
number.)

Would that mess with kernel routing in a bad way?

Now this doesn't solve the problem for a specific application
and nor does it address the problem where the addresses that
you want to choose between are aliases.

For example...
The idea here is that an application wants to use the VPN Tunnel
to connect to an internal website and the address that is used
is not something that the application cares about rather the
address is a property of the network connection used to transport
that connection. Thus using the network address of the LAN or
WiFi link is not appropriate, regardless of what addresses are
configured on them.

In some cases it may be possible to determine what the outgoing
IP address should be - for example if the network interface only
has one address that matches the address family being used to
make the connection then the choice is an obvious result of the
routing lookup for the destination. That however assumes that
there is a route to the destination network available that
specifies the interface in question.

Actually, going back to the original question at hand (with
mount), perhaps the solution is this simple:

# route add -host nfs.server.ip.addr -ifa my.ip.add.ress ga.te.wa.y

In situations where my.ip.add.ress is the only IP address
on a network interface or the address is assigned with DHCP
then it should be possible to do:

# route add -host nfs.server.ip.addr -ifp bge1 ga.te.wa.y
Post by Robert Elz
One way to avoid that, is for applications where using local addresses makes
sense (particularly those with long life connections - local addresses guard
against address renumbering, which doesn't really matter if the connection is
finished in under a minute) is to initiate the connection from a local address,
with a very short timer on the SYN reply (20-30 ms).
How do you define "local address" in this context?
Is it just something from a RFC1918 address space or...?

The point here being that some organisations have large
internal networks where a local address is usable on a
network with a bredth of 10 or more hops.

Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
i***@netbsd.org
2013-01-31 10:02:33 UTC
Permalink
Post by Darren Reed
I wonder if focusing on addresses is the correct thing to do.
Should we in fact be focusing on network interfaces instead?
No. At least that's a different problem.

We started talking about multiple addresses on the same LAN, some being
randomized and only intended for pseudonymous access to untrusted peers.

The desire is to have an application tell it doesn't want to use them;
think address-authorized lpr or nfs.

-is

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Ignatios Souvatzis
2013-01-31 10:50:46 UTC
Permalink
Post by i***@netbsd.org
Post by Darren Reed
I wonder if focusing on addresses is the correct thing to do.
Should we in fact be focusing on network interfaces instead?
No. At least that's a different problem.
We started talking about multiple addresses on the same LAN, some being
randomized and only intended for pseudonymous access to untrusted peers.
The desire is to have an application tell it doesn't want to use them;
think address-authorized lpr or nfs.
What about being able to give an address a "metric" that enabled
a sorting order for address selection?
# ifconfig bge0 alias 192.168.1.1 netmask 255.255.255.0 weight 15
# ifconfig bge0 alais 10.1.1.1 netmask 255.255.252.0 weight 50
Well, but we'd need that per-application or per-socket! Sometimes
we want one, sometimes the other.

The problem with temporary addresses is that they occupy exactly
the same subnet as the fixed/dhcp/autoconfigured addresses we want
to avoid or prefer, depending on application; so per-process routing
tables don't help, either.

The more proposals I read, the more I think that the original problem
can easiest be solved by allowing interested applications to bind,
where this isn't yet possible.

To make this generic, we'd need a generic tag list per address, or
as the next-to-minimal solution a flag "temporary" and a method to
prefer permanent vs. temporary. A hack would be to have a socket option
that selects longest vs. shortest lifetime addresses.

-is

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2013-01-31 11:27:53 UTC
Permalink
Post by i***@netbsd.org
Post by Darren Reed
I wonder if focusing on addresses is the correct thing to do.
Should we in fact be focusing on network interfaces instead?
No. At least that's a different problem.
We started talking about multiple addresses on the same LAN, some being
randomized and only intended for pseudonymous access to untrusted peers.
The desire is to have an application tell it doesn't want to use them;
think address-authorized lpr or nfs.
What about being able to give an address a "metric" that enabled
a sorting order for address selection?

# ifconfig bge0 alias 192.168.1.1 netmask 255.255.255.0 weight 15
# ifconfig bge0 alais 10.1.1.1 netmask 255.255.252.0 weight 50


Another approach might be to support having the default address to
use as part of the process's properties, so that in the NFS mount
script you can do:

[ -n "$nfs_localaddr" ] && \
sysctl -w "proc.$$.localaddrlist=$nfs_localaddr"

in the various _precmd() bits that start the SunRPC bits.

Another approach might be to support having process-local routing
tables such that you could do:

[ -n "$nfs_ifa" -a -n "$nfs_server" ] && \
route add -host "$nfs_server" -ifa "$nfs_ifa" -proc $$

Both of the sysctl/route approaches more or less dictate using an API
that isn't setsockopt.

Thoughts?

Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Ignatios Souvatzis
2013-01-31 11:06:11 UTC
Permalink
Post by Darren Reed
Another approach might be to support having the default address to
use as part of the process's properties, so that in the NFS mount
[ -n "$nfs_localaddr" ] && \
sysctl -w "proc.$$.localaddrlist=$nfs_localaddr"
in the various _precmd() bits that start the SunRPC bits.
Hm. Yes, this would work, I think, at least in the general case (don't
know about the in-kernel nfs client).

-is

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Gert Doering
2013-01-31 11:09:05 UTC
Permalink
Hi,
Post by Ignatios Souvatzis
The more proposals I read, the more I think that the original problem
can easiest be solved by allowing interested applications to bind,
where this isn't yet possible.
"Yes but..."

Speaking as a sysadmin, being able to bind an application to a specific
local IPv6 address is useful, but most of the time I don't want to bother
to look up the specific address, and just bind to a class of address.

(Think "renumbering your subnet" - that should make NFS continue to use
the autoconfigured-but-non-privacy IPv6 address, without me having to
to rc.conf and change bind addresses for umteen different programs - sure,
that could be done with a global variable, but still, "one extra place
to touch when the network changes").

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Elz
2013-01-31 11:22:46 UTC
Permalink
Date: Thu, 31 Jan 2013 21:57:17 +1100
From: Darren Reed <***@netbsd.org>
Message-ID: <***@netbsd.org>

| How do you define "local address" in this context?
| Is it just something from a RFC1918 address space or...?

Personally I'm most concerned with IPv6, rather than IPv4 (which is,
or should be, on its way to extinction, so wasting more effort on
solving its problems is pointless) - in the v6 context, a local address
is something from the FC00::/7 address block. But those are about as
close as v6 comes to 1918 addresses, so I guess, yes.

The relevant criteria is that we can use them to communicate with some
destinations, but not others (1918 in v4 world mostly fails that test
because of NAT). For the others only global addresses work.

| The point here being that some organisations have large
| internal networks where a local address is usable on a
| network with a bredth of 10 or more hops.

Sure, and if we ever actually implemented apps that attempt to use local
addresses where possible (that is, by their own initiative, rather than
being human configured) then we'd need to be able to configure the criteria
used for deciding when an address might be local (which would include how big
a hop limit to attempt, and how long to wait for replies).

Until v6 is in enough use that people actually start getting global addresses
renumbered on them, most likely no-one will care enough about this issue
to bother with attempts to find solutions. Slightly regrettable, but totally
understandable. My objective in all of this is simply to see if we can end
up with an API that would allow this kind of thing to be done, when (or if)
it ever turns out to be useful enough to spend cycles implementing.

kre

ps: I agree with you that being able to give interfaces some kind of
preferences would be useful, but I also agree with Ignatios that this is
a different problem than the one we have been discussing.

pps: the old v6 "site local" addresses were better than the current local
addresses for the purposes discussed above, as they had the notion of a
site boundary, and a "going out of scope" ICMP - with those, detection of
when a (site) local address can be used was much much easier.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Elz
2013-01-31 12:37:02 UTC
Permalink
Date: Thu, 31 Jan 2013 12:09:05 +0100
From: Gert Doering <***@greenie.muc.de>
Message-ID: <***@greenie.muc.de>

| Speaking as a sysadmin, being able to bind an application to a specific
| local IPv6 address is useful, but most of the time I don't want to bother
| to look up the specific address, and just bind to a class of address.

To be even more emphatic about that, one thing that we should be
doing is shipping NetBSD (and its packages) to select rational address
types by default - by all means allow sysadmins (or users) to alter
the defaults, but the defaults should be rational.

That means that postfix (and sendmail) and nfs, should all be using
stable addresses, whereas firefox, wget (etc) should all be default configured
to use temporarary addresses (in each case of course, assuming the
appropriate address type is available).

There's no way TNF can ship systems with specific addresses built into
them, nor can it know specific interface names, or anything else.

But it can have an application say "stable address if possible please"
or "temporary address if possible please", and once we have a mechanism
(however it ends up looking) to permit that, that's exactly what we should
be doing.

kre


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Gert Doering
2013-01-31 13:20:08 UTC
Permalink
Hi,

On Thu, Jan 31, 2013 at 07:37:02PM +0700, Robert Elz wrote:
[..]
Post by Robert Elz
To be even more emphatic about that, one thing that we should be
doing is shipping NetBSD (and its packages) to select rational address
types by default - by all means allow sysadmins (or users) to alter
the defaults, but the defaults should be rational.
[..]
Post by Robert Elz
But it can have an application say "stable address if possible please"
or "temporary address if possible please", and once we have a mechanism
(however it ends up looking) to permit that, that's exactly what we should
be doing.
+1

(nothing more to be said, so please excuse the high quote-to-new-text
ratio :-) )

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2013-01-31 23:44:47 UTC
Permalink
On Thu, Jan 31, 2013, at 01:37 PM, Robert Elz wrote:
...
Post by Robert Elz
To be even more emphatic about that, one thing that we should be
doing is shipping NetBSD (and its packages) to select rational address
types by default - by all means allow sysadmins (or users) to alter
the defaults, but the defaults should be rational.
That means that postfix (and sendmail) and nfs, should all be using
stable addresses, whereas firefox, wget (etc) should all be default configured
to use temporarary addresses (in each case of course, assuming the
appropriate address type is available).
How do you determine a stable address vs temporary?

For example, I use DHCP to assign IP addresses on almost everything
now, including devices that are NFS/CIFS/SMB clients. The only place
where I have a static address is a server.

Let me throw another twist to this...

Lets say that my laptop is plugged into a local LAN and it has a
connection to the Internet via a firewall and ADSL router. The LAN
connection is established with DHCP. If my ADSL goes down I then
turn on WiFi on my phone and laptop and connect to the Internet
via WiFi to my laptop.

If temporary is DHCP then both of my links are temporary.

How then should my browser then connect to the Internet?
What about ssh, etc?

I'll add that the above scenario is not hypothetical and is currently
solved by unplugging the LAN cable with the unfortunate side effect
of disrupting any local services that I was using.

The argument that I'm making here is that I don't see
temporary vs stable as being a useful abstraction in the
classification of addresses for applications to use as there
is no reasonable way to classify an address as such.
Post by Robert Elz
There's no way TNF can ship systems with specific addresses built into
them, nor can it know specific interface names, or anything else.
Agreed.

Darren

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Gert Doering
2013-02-01 11:34:07 UTC
Permalink
Hi,
Post by Darren Reed
...
Post by Robert Elz
To be even more emphatic about that, one thing that we should be
doing is shipping NetBSD (and its packages) to select rational address
types by default - by all means allow sysadmins (or users) to alter
the defaults, but the defaults should be rational.
That means that postfix (and sendmail) and nfs, should all be using
stable addresses, whereas firefox, wget (etc) should all be default configured
to use temporarary addresses (in each case of course, assuming the
appropriate address type is available).
How do you determine a stable address vs temporary?
For example, I use DHCP to assign IP addresses on almost everything
now, including devices that are NFS/CIFS/SMB clients. The only place
where I have a static address is a server.
These would be "static" in the sense of "no privacy address auto-generated
and auto-rotated(!) after a certain time by the host itself".

Phrased differently, "temporary" addresses in the sense of this discussion
(and where you want a distinction between a "NFS client" and a "web browser")
arte those generated according to RFC4914 (or 3041):

4941 Privacy Extensions for Stateless Address Autoconfiguration in
IPv6. T. Narten, R. Draves, S. Krishnan. September 2007. (Format:
TXT=56699 bytes) (Obsoletes RFC3041) (Status: DRAFT STANDARD)

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Elz
2013-02-01 12:20:48 UTC
Permalink
Date: Fri, 01 Feb 2013 00:44:47 +0100
From: Darren Reed <***@netbsd.org>
Message-ID: <***@webmail.messagingengine.com>

| How do you determine a stable address vs temporary?

If you mean by that, how do I look at an address and determine if it
is a temporary address or not, the answer is, I can't - which is exactly
what (part of) the problem is.

Only when the address is created (or assigned) do we know its planned
use model - whoever (or whatever) creates the address needs to indicate
whether it is a temporary, or a stable address.

| For example, I use DHCP to assign IP addresses on almost everything
| now, including devices that are NFS/CIFS/SMB clients. The only place
| where I have a static address is a server.

All of those would be stable in this sense, DHCP servers go to a lot of
trouble to ensure that they can give you the same address over and over
again.

But if you keep thinking of this in an IPv4 context, the need for anything
new will (most probably) never become apparent - the current API has been
around, and working mostly OK, with IPv4 for a long time.

It is with IPv6 that we really need an addition (and then, as has happened
with other stuff originally designed for v6, if that turns out to be
beneficial to IPv4 as well, that's fine).

For IPv6, a temporary address is one assigned following the procedures
of RFC4941 - for this purpose the term "temporary address" is a very
specific thing, and doesn't just mean some random address that I might
not have forever.

The general assumption is that you will normally only use a temporary address
for a very limited time - a day would be an upper limit, an hour is not
at all unreasonable. Then you make a new one and use that instead.

This is not feasible with IPv4, there aren't enough available addresses.
But with 2^64 IIDs on every subnet in IPv6, there are plenty of available
numbers to use... Of course, the use of (almost universal) NAT makes
the problem moot for IPv4, end systems don't need to hide their identity,
the NAT translation does that for us (which is the one useful feature of
NAT - pity that it can't be turned off when it isn't wanted...)

| If temporary is DHCP then both of my links are temporary.

It isn't, those are stable address, what you described was just address
renumbering (or perhaps, mobile IP, in some cases would be quite similar).

| How then should my browser then connect to the Internet?
| What about ssh, etc?

Well, the browser is supposed to use temporary addreses, so if your DHCP
addresses were temporary, that would be good ... And ssh is an example of
an application where (for the client anyway) we simply don't care, either
form works just as well (ssh servers don't authorise clients based upon
their address - that's why we don't use rsh any more).

But I suspect you're ignoring the "prefer" part of all of this.
If I have a temporary address, I prefer to use it for my web browsing.
If I don't have one, then a stable address will work just fine, it just
is not as good a choice for the purpose.

If I'm sending e-mail (to a remote MTA, I don't mean local submission)
then I would prefer to use a stable address, so the remote site's greylist
cache will recognise that as I wasn't a spammer 30 minutes ago, I am
probably not a spammer now, and so allow my e-mail through without delays.
If I don't have a stable address, but only a temporary one (and haven't
connected to that destination MTA with it previously), then I simply
have to wait for their greylisting timeout. This is not ideal, and fails
if their greylist timeout is longer than the lifetime of my temporary
addresses (which is certainly a possibility.) I really would prefer to
use a stable address...

For the NFS application that started this, I have to have an address that
the NFS server will permit, so the only issue is making sure I use that one
and not some other one (like some temporary address, as the problem that
inspired this discussion was caused by.)

| I'll add that the above scenario is not hypothetical and is currently
| solved by unplugging the LAN cable with the unfortunate side effect
| of disrupting any local services that I was using.

Yes, I know that kind of situation, and that's a real issue, and one we
need to (also) be working on. It is just a completely different problem
than the one we have been talking about. Not less important, just different.
The kind of solution we are considering won't help for that problem at all.
Nor will a solution for your problem solve the other. They are just different.

| The argument that I'm making here is that I don't see
| temporary vs stable as being a useful abstraction in the
| classification of addresses for applications to use as there
| is no reasonable way to classify an address as such.

Of course there is - to use (4941) temporary addresses we need a process
running to create, monitor, and release them as appropriate (that can be
a daemon, a script run from cron, or ...) When it creates a temporary
address it simply says "this is a temporary address" and from that point on
everyone knows that. When DHCP (or IPv6 autoconf, or manual ifconfig)
assign an address, they don't say that, and their address is a stable one.

Do note that the difference between a temporary address and a stable one
(for this purpose) isn't its period of validity - the stable address may
easily have a lease time less than the lifetime of a temporary address, but
its planned usage pattern. For a temporary address, we are planning to use
it for a while, then throw it away and never use it again. For stable
address, we plan on using, and reusing, the address for as long as it
remains viable.

What's more, NetBSD already has a switch for assigning addresses using
either temporary or stable forms - it is net.inet6.ip6.use_tempaddr
The problem is that it is just one global switch, that applies to
everything, rather than one that can be set per application (or socket).

kre

ps: another address distinction that we might need to be able to make in
the future is between home addresses and care-of addresses. Some apps
really need to use home addresses, others are just fine using care-of
addresses (and others even really prefer care-of addresses, like for doing
DNS queries, using a home address is just silly.) So to add to the list
of things the API should support, this is another criterion that the
application might want to set - and combinations, like temporary home address
is best, if not then any care of address will do, and if not, any home address,
and if not that, anything so at least I can communicate, - that would
probably be my preference list for web browsing for example.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
i***@Netbsd.org
2013-02-01 12:35:13 UTC
Permalink
Post by Robert Elz
For IPv6, a temporary address is one assigned following the procedures
of RFC4941 - for this purpose the term "temporary address" is a very
specific thing, and doesn't just mean some random address that I might
not have forever.
The general assumption is that you will normally only use a temporary address
for a very limited time - a day would be an upper limit, an hour is not
at all unreasonable. Then you make a new one and use that instead.
Yes. And the difference to "normal" addresses is even bigger: 4941
addresses are *intended* to be unusable for authentication (well,
for tracking).

-is
--
seal your e-mail: http://www.gnupg.org/

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2013-02-02 12:27:21 UTC
Permalink
Date: Fri, 01 Feb 2013 00:44:47 +0100
| How do you determine a stable address vs temporary?
If you mean by that, how do I look at an address and determine if it
is a temporary address or not, the answer is, I can't - which is exactly
what (part of) the problem is.
Only when the address is created (or assigned) do we know its planned
use model - whoever (or whatever) creates the address needs to indicate
whether it is a temporary, or a stable address.
...
It is with IPv6 that we really need an addition (and then, as has happened
with other stuff originally designed for v6, if that turns out to be
beneficial to IPv4 as well, that's fine).
For IPv6, a temporary address is one assigned following the procedures
of RFC4941 - for this purpose the term "temporary address" is a very
specific thing, and doesn't just mean some random address that I might
not have forever.
The general assumption is that you will normally only use a temporary address
for a very limited time - a day would be an upper limit, an hour is not
at all unreasonable. Then you make a new one and use that instead.
...
| If temporary is DHCP then both of my links are temporary.
It isn't, those are stable address, what you described was just address
renumbering (or perhaps, mobile IP, in some cases would be quite similar).
...
For the NFS application that started this, I have to have an address that
the NFS server will permit, so the only issue is making sure I use that one
and not some other one (like some temporary address, as the problem that
inspired this discussion was caused by.)
Not selecting the temporary address seems like a rather trivial
thing and not something that will completely fix the problem
being described.
| The argument that I'm making here is that I don't see
| temporary vs stable as being a useful abstraction in the
| classification of addresses for applications to use as there
| is no reasonable way to classify an address as such.
Of course there is - to use (4941) temporary addresses we need a process
running to create, monitor, and release them as appropriate (that can be
a daemon, a script run from cron, or ...) When it creates a temporary
address it simply says "this is a temporary address" and from that point on
everyone knows that. When DHCP (or IPv6 autoconf, or manual ifconfig)
assign an address, they don't say that, and their address is a stable one.
RFC 4941 looks to me like someone realised that the EID in
IPv6 addresses had privacy implications (because it will
turn up everywhere) and so something was concocted to "fix"
that problem that they had created. Hence why you mention
that web browsers will always want to use temporary addresses
and almost nothing else will. Anyway, I don't want to talk
about the merits of the EID...

... it isn't just web browsers that will leak that piece
of private information to the Internet, it is anything that
connects out through the Internet, be it the web browser,
ftp client or ssh.

This indicates to me that the policy for when a temporary
address should be used is not something that we can depend
on an application to provide. For example, if you're using
a web browser on a coroporate LAN then you most likely don't
want to use a temporary address but if that same web browser
were to browse the Internet, you do want to use a temporary
address (assuming a direct connection is possible.) As I
mentioned above, it isn't just the web browser that needs to
be subject to this policy but rather everything that connects
to a host on the Internet.

Some example policies for when temporary addresses are to be
used might be as follows:

- always use a temporary address;
- never use a temporary address;
- always use a temporary address for anything I reach via the
default route;
- never use a temporary address for hosts that are on networks
that I am directly connected to;
- never use a temporary address for connections to the NFS
server at 1::2.

The bottom three policies are all attributes of the
relationship between the two hosts and could arguably be
represented by a an attribute attached to a specific route
entry for that destination.

Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Elz
2013-02-02 15:08:58 UTC
Permalink
Date: Sat, 02 Feb 2013 23:27:21 +1100
From: Darren Reed <***@netbsd.org>
Message-ID: <***@netbsd.org>

| Not selecting the temporary address seems like a rather trivial thing

Yes, though I think we need an API that at least allows for extension
(so we don't end up with a whole bunch of specific requests that don't
necessarily play well together).

| and not something that will completely fix the problem being described.

No, that's near where this discussion started. Completely fixing the
problem, that is, handling every strange desire that someone might dream
up is hard. Solving enough of the problem that it will be adequate for
most ordinary uses is fairly easy. At least a part of a solution (as
long as we can reasonably adapt it later if we discover more that we need)
has to be better than no solution at all because a complete fix is too hard.

| RFC 4941 looks to me like someone realised that the EID in
| IPv6 addresses had privacy implications

Of course - though not really much worse than the original internet.
Source addresses were always supposed to identify the sender ... back
in the days when addresses were available, and assigned "for life"
the same issue existed. It has only been the use of NAT which effectively
hides the identity of individual systems from the outside world that's
given rise to this extra expectation of privacy.

| and so something was concocted to "fix"
| that problem that they had created.

Yes. Though not really "they created" but more to account for the
change the internet had undergone (do recall than when v6 development
started, NAT use was not yet widesread - that happened during the
development of v6 to help keep v4 alive long enough to avoid collapse).

| ... it isn't just web browsers that will leak that piece
| of private information to the Internet, it is anything that
| connects out through the Internet, be it the web browser,
| ftp client or ssh.

Yes - I was just giving an example of the kind of application for which
avoiding stable addresses is useful, not attempting to be exhaustive.
ftp clients would be another application. I'm not sure ssh matters as
much, as ssh clients tend to identify the actual user, which is even more
precise identification than just identifying the host. But it wouldn't
harm ssh clients to use temp addrs.

| This indicates to me that the policy for when a temporary
| address should be used is not something that we can depend
| on an application to provide.

I don't grasp that leap - for sure, the user might want to override
the application's default, which would usually be done by telling the
application to request a different policy. You might just as well say
that the application cannot be entrusted with selecting the destination
address, as the user might want to connect to different destinations.

| For example, if you're using
| a web browser on a coroporate LAN then you most likely don't
| want to use a temporary address

By default sure I would, it makes no difference what the server is.
If the server needs some kind of authentication, I don't want it using
addresses for that if at all possible, there's no good reason for a
http client to ever require a stable address (though there should be
a way for the user to request it, if there happens to be a requirement).

| Some example policies for when temporary addresses are to be
| used might be as follows:

There could be all kinds of policies. Some of the ones you gave
are likely, others don't make a lot of sense for most people, and
are probably beyond what a first attempt simple API needs to be able
to provide.

| The bottom three policies are all attributes of the
| relationship between the two hosts and could arguably be
| represented by a an attribute attached to a specific route
| entry for that destination.

Something like that might be useful, but it isn't just the hosts, but
also the application and I suspect that kind of mechanism is perhaps a
2nd level of implementation. At least you now seem to agree that something
to allow different address types is needed. Getting that agreement is
important, then it will make sense to start to look at what the API
might be (there have been a few ideas floated around, but nothing really
investigated yet, so avoid making judgements based on any imagined
particular API).

kre


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2013-02-02 23:56:24 UTC
Permalink
On 3/02/2013 2:08 AM, Robert Elz wrote:
...
Post by Robert Elz
| ... it isn't just web browsers that will leak that piece
| of private information to the Internet, it is anything that
| connects out through the Internet, be it the web browser,
| ftp client or ssh.
Yes - I was just giving an example of the kind of application for which
avoiding stable addresses is useful, not attempting to be exhaustive.
ftp clients would be another application. I'm not sure ssh matters as
much, as ssh clients tend to identify the actual user, which is even more
precise identification than just identifying the host. But it wouldn't
harm ssh clients to use temp addrs.
| This indicates to me that the policy for when a temporary
| address should be used is not something that we can depend
| on an application to provide.
I don't grasp that leap - for sure, the user might want to override
the application's default, which would usually be done by telling the
application to request a different policy. You might just as well say
that the application cannot be entrusted with selecting the destination
address, as the user might want to connect to different destinations.
The desire to use a temporary address doesn't change with
the application, it changes with the destination or to be
more precise, with the remote service with which the
application wishes to communicate.

I don't particularly care which application is communicating
with (say) www.fbi.gov but whichever application does I want
it to use a temporary address irrespective of what the
application itself might want to do. For example.

Additionally, how is address selection policy enforced for
those applications for which source code is not available?

If I was to think about what is happening in the Windows
application space, today binaries for free software are
being provided that want to "phone home" to check for
updates, etc and some will not work unless they can do
that. If they were allowed to choose to not use a
temporary address when communicating with their "home
server", then the whole point of temporary addresses
is lost.

When you consider the NFS problem, is it important whether
or not it is rpcbind or rpc.lockd or mountd or the kernel
that needs the non-temporary address for talking to the
NFS server? No. What's important is that all communication
with the NFS server for the purpose of using that NFS
server all use a stable address and preferably the same
one that the NFS server expects!

Why do I trust the application to use the correct destination
address? Because if it doesn't then it doesn't give me the
correct service. If a web browser connects to a random IP
address rather than the one associated with the domain name
that I want then I'll see that. If my RPC utilities connect
to the wrong server then that'll be visible when I do "df"
or "ls" for the files. If my popper connects to some random
POP server rather than the one at my ISP, my email won't be
there. And so on.

To go back to your examples, one of them was connecting to
an SMTP server. Chances are that you want the same source
address used regardless of whether the connection is made
using the telnet program or a dedicated mail program.
If that is the case, why would you want to instruct each
of those separately as to how to choose a source address
rather than simply define a policy around communication
between the two hosts which by default governs how both
telnet and the mail program communicate?

Darren

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
David Laight
2013-02-03 11:31:53 UTC
Permalink
Post by Darren Reed
To go back to your examples, one of them was connecting to
an SMTP server. Chances are that you want the same source
address used regardless of whether the connection is made
using the telnet program or a dedicated mail program.
If that is the case, why would you want to instruct each
of those separately as to how to choose a source address
rather than simply define a policy around communication
between the two hosts which by default governs how both
telnet and the mail program communicate?
A related problem occurs with SCTP - where you pass a list of
local addresses so that the connections can fallback to a
different address pair when the connection would otherwise fail.
It isn't really right to have to configure the application with
parts of the global network topology.

David
--
David Laight: ***@l8s.co.uk

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Elz
2013-02-05 23:18:29 UTC
Permalink
Date: Sun, 03 Feb 2013 10:56:24 +1100
From: Darren Reed <***@netbsd.org>
Message-ID: <***@netbsd.org>

| The desire to use a temporary address doesn't change with
| the application, it changes with the destination or to be
| more precise, with the remote service with which the
| application wishes to communicate.

No, not at all - or rather, once again, you are contemplating a different
problem than the one I am concerned with.

To be more clear, I am trying to get a mechanism that can be used by
NetBSD and pkgsrc developers, when they write/patch code for network
applications so they can have the application (as it gets shipped to
the users) can operate in the best possible mode, assuming the user
supplies no additional configuration information at all.

Anything that depends upon destinations, or which remote service
cannot possibly be relevant as except in a very tiny minority of cases
(applications like pkg_add perhaps) the developers have no idea what
the addresses will be, or with what site the application will be
communicating.

On the other hand, we know that for some applications (some network
protocols really - it doesn't matter if a http client is wget, curl,
or firefox) and with what we know about how servers are typically
configured and used throughout the network, things work better if
the source address is a stable address (for some) or if it is a
temporary address (for others). Similarly, some apps work better if
(when/if mobile IP is ever used) if the source address is a home
address, and others if it is a care-of address.

Once again, this is not saying that the kind of policy control that
you're concerned with - which almost must be set up at the actual
user site, as they're the only ones who can know these policies, is
less important - it also doesn't mean that they cannot share some of
the same mechanism - but what you are proposing is simply not what I
am concerned with, or what I would like to be able to achieve.

| Additionally, how is address selection policy enforced for
| those applications for which source code is not available?

They do whatever they do now (which would include some site chosen
policy - something like net.inet6.ip6.use_tempaddr but probably a little
more general than that - my aim is to allow apps to be written to
work better, not to force them to be. I readily admit that for many
apps there will be no change needed - for many it really makes no
difference, but for some it does.

| When you consider the NFS problem, is it important whether
| or not it is rpcbind or rpc.lockd or mountd or the kernel
| that needs the non-temporary address for talking to the
| NFS server? No. What's important is that all communication
| with the NFS server for the purpose of using that NFS
| server all use a stable address and preferably the same
| one that the NFS server expects!

Yes, but it is only the NFS cients that need to use that, if I am also
communicating with a web server on the same system, then I'd prefer to
use a temporary address. All the RPC (or at least the NFS related
RPC) apps should be selecting stable addressing (that might even be
done in the rpc library functions rather than anything higher)

And if I suddenly decide to mount from some other NFS server that I
haven't used before, I want that to be using stable addresses as well,
I dont want to have to remember to go add to my policy to make this
work correctly. If the RPC library simply defaults all its sockets to
use stable addresses, then good things should normally happen.

| Why do I trust the application to use the correct destination
| address? Because if it doesn't then it doesn't give me the
| correct service.

How do you know? Consider the way proxy servers get used - the
app doesn't connect to the end address you tell it at all, but
somewhere else, yet you still end up with (more or less) the correct
service. A nefarious app may do something similar for less benign purposes.

| To go back to your examples, one of them was connecting to
| an SMTP server. Chances are that you want the same source
| address used regardless of whether the connection is made
| using the telnet program or a dedicated mail program.

Yes, but from telnet, only if I am connecting to port 25 (and even
then I'm not sure it really matters, as I am probably not either
patient enough, or accurate enough with my time keeping, to get
through a greylist filter that way) - if I am using telnet to connect
to a HTTP server (port 80) I want a temporary address, and if I am
connecting to port 23, I probably don't care. That suggests that
telnet (the program) should have no default address choice, but a
config option (command line switch, or telnet "set" command) to allow
me to choose one way or the other if I happen to need it.

| If that is the case, why would you want to instruct each
| of those separately as to how to choose a source address
| rather than simply define a policy around communication
| between the two hosts which by default governs how both
| telnet and the mail program communicate?

Because I do not want to construct a policy at all. Nor do 99% of
other users. I want things to simply work as they come out of the
box, and work as well as possible. If I find that I have some
unusual requirements, then I'll learn how to configure those (and I
certainly should have some ability to do that), but as long as I'm
just an ordinary user, I just want things to work.

kre


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2013-02-07 14:02:52 UTC
Permalink
Post by Robert Elz
Date: Sun, 03 Feb 2013 10:56:24 +1100
| The desire to use a temporary address doesn't change with
| the application, it changes with the destination or to be
| more precise, with the remote service with which the
| application wishes to communicate.
No, not at all - or rather, once again, you are contemplating a different
problem than the one I am concerned with.
To be more clear, I am trying to get a mechanism that can be used by
NetBSD and pkgsrc developers, when they write/patch code for network
applications so they can have the application (as it gets shipped to
the users) can operate in the best possible mode, assuming the user
supplies no additional configuration information at all.
I suspect that maybe you're concerned with a different aspect
of the privacy implications of EIDs than I am.

From a personal perspective, I neither want to burden those
maintaining pkgsrc with extra "tweaks" nor do I want to need
to write networking code on NetBSD in a "special way".

Similarly, I don't want to have to tell each application what
kind of addresses it can use.
Post by Robert Elz
Once again, this is not saying that the kind of policy control that
you're concerned with - which almost must be set up at the actual
user site, as they're the only ones who can know these policies, is
less important - it also doesn't mean that they cannot share some of
the same mechanism - but what you are proposing is simply not what I
am concerned with, or what I would like to be able to achieve.
I think you're right about that.

I'll say more on this below.
Post by Robert Elz
| To go back to your examples, one of them was connecting to
| an SMTP server. Chances are that you want the same source
| address used regardless of whether the connection is made
| using the telnet program or a dedicated mail program.
Yes, but from telnet, only if I am connecting to port 25 (and even
then I'm not sure it really matters, as I am probably not either
patient enough, or accurate enough with my time keeping, to get
through a greylist filter that way) - if I am using telnet to connect
to a HTTP server (port 80) I want a temporary address, and if I am
connecting to port 23, I probably don't care. That suggests that
telnet (the program) should have no default address choice, but a
config option (command line switch, or telnet "set" command) to allow
me to choose one way or the other if I happen to need it.
The reason that I raised telnet as an issue is that when
I use that to connect to a service, I want to see the same
address in the log files for telnet as the actual application
so that I know it is me and not someone else making the
connection to the service.

I suppose one way to approach that is to allow telnet to be
tweaked from the command line, another would be to define a
policy for that service and for which everything follows it
by default.
Post by Robert Elz
| If that is the case, why would you want to instruct each
| of those separately as to how to choose a source address
| rather than simply define a policy around communication
| between the two hosts which by default governs how both
| telnet and the mail program communicate?
Because I do not want to construct a policy at all. Nor do 99% of
other users. I want things to simply work as they come out of the
box, and work as well as possible. If I find that I have some
unusual requirements, then I'll learn how to configure those (and I
certainly should have some ability to do that), but as long as I'm
just an ordinary user, I just want things to work.
But in your email, you've almost defined the beginnings of
a policy that is something like this:

* use a temporary address for connecting to any web server
* use a stable address when connecting to NFS servers for
all SunRPC services
* use a stable address when connecting to SMTP servers

The problem with a policy like this is that it is very
difficult to express in the usual manner that involves
addresses and ports because services can live all over
the place. That said, just because it is difficult does
not mean that we cannot find a way to make it possible.

Why am I insistent on a policy?

Because when I'm debugging network issues, it is of
great help if all communication on my network from
a given device is using the same address. It does
not help me if the web server records a different
address in its logs than does the ssh server and
so on.

If there are going to be multiple sources of data that
defines how stable/temporary addresses are to be used
then what takes preference?

I see a problem here of conflicting requirements:
1) where the application has a built in policy that is
not selectable by the user but the user wants to
override the application;
2) a default policy or somewhat generic policy (such
as the current algorithm) that we want to override
with the application.

Darren


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
David Laight
2013-02-07 20:44:24 UTC
Permalink
Post by Darren Reed
But in your email, you've almost defined the beginnings of
* use a temporary address for connecting to any web server
I thought that some web servers do IP address checking.

David
--
David Laight: ***@l8s.co.uk

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Lloyd Parkes
2013-02-07 20:55:45 UTC
Permalink
Post by David Laight
I thought that some web servers do IP address checking.
I don't know what checks you have in mind, but many security conscious web sites will shoot you down if you change IP address while logged in.

Cheers,
Lloyd
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Elz
2013-02-07 22:31:57 UTC
Permalink
Date: Thu, 7 Feb 2013 20:44:24 +0000
From: David Laight <***@l8s.co.uk>
Message-ID: <***@snowdrop.l8s.co.uk>

| I thought that some web servers do IP address checking.

For the kind of address changing that is being discussed here, they cannot
really now (one special case excepted) - NAT pretty much guarantees that
the local part of most users' addresses are unpredictable, and not stable
over time (that is kind of what v6 temporary addresses seek to replicate).

The exception is for web servers that are providing service only to
local users - and even those generally just check the prefix (though of
course anything is possible).

kre


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
David Laight
2013-02-07 22:58:45 UTC
Permalink
Post by Robert Elz
Date: Thu, 7 Feb 2013 20:44:24 +0000
| I thought that some web servers do IP address checking.
For the kind of address changing that is being discussed here, they cannot
really now (one special case excepted) - NAT pretty much guarantees that
the local part of most users' addresses are unpredictable, and not stable
over time (that is kind of what v6 temporary addresses seek to replicate).
Eh? NAT tends to fix the source address, it is DHCP that will randomise it.

David
--
David Laight: ***@l8s.co.uk

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Lloyd Parkes
2013-02-08 00:41:18 UTC
Permalink
Post by David Laight
Post by Robert Elz
Date: Thu, 7 Feb 2013 20:44:24 +0000
| I thought that some web servers do IP address checking.
For the kind of address changing that is being discussed here, they cannot
really now (one special case excepted) - NAT pretty much guarantees that
the local part of most users' addresses are unpredictable, and not stable
over time (that is kind of what v6 temporary addresses seek to replicate).
Eh? NAT tends to fix the source address, it is DHCP that will randomise it.
"tends to" is the operative phrase there. Carrier NAT normally maps a large collection of source addresses onto a smaller collection of source address and while I'm sure the implementations of Carrier NAT will try and keep the source addresses stable, I'm also sure that there are ISPs out there that don't give a damn.

I saw IPv4 source addresses change rapidly twice while working for Inland Revenue. Because it was so rare I was able to track down the exact cause both times and in both cases it was reasonable for me to tell the customer (outside Inland Revenue) to "stop doing that". That may be the general answer to the volatile IPv4 address side of this discussion.

Cheers,
Lloyd
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Robert Elz
2013-02-08 07:37:59 UTC
Permalink
Date: Thu, 7 Feb 2013 22:58:45 +0000
From: David Laight <***@l8s.co.uk>
Message-ID: <***@snowdrop.l8s.co.uk>

| Eh? NAT tends to fix the source address, it is DHCP that will randomise it.


No, other than as used by (some) ISPs, DHSP tends to produce very stable
source addresses - you may not be able to predict what you'll get before
you have been served the first time, but after that you can normally expect
to get the same thing every time (some cheap servers have no stable storage,
so things get unpredictable again after power outages, but aside from that
even the el-cheapo dhcp servers in consumer grade adsl routers produce
stable addresses).

For the NAT part you're looking at this from the wrong end, we aren't
concerned with what it looks like at the source host, or even as the
data departs the local site (post-NAT) - but what it looks like to the
server.

What matters is that the server cannot track the source address to a
particular client (as NAT will have reused the same address for man
different clients). The lack of any useful purpose in attempting
this means that the web server people don't bother (they invented
cookies instead).

The aim for temporary addresses for v6 was to achieve the same result
without NAT - since we're not going to get lots of clients mapped into
the same address, the solution is to map each client into lots of
addresses, again making it pointless for the web server to attempt to
track the things.

Note for this effect it is not crucial that every web client use
temporary addresses, but a large proportion need to - so we really
want to make the default be for that to happen. If some site (or
user's) policy prevents that, that's harmless.

kre


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Darren Reed
2013-02-08 09:48:37 UTC
Permalink
Post by Lloyd Parkes
Post by David Laight
I thought that some web servers do IP address checking.
I don't know what checks you have in mind, but many security conscious web sites will shoot you down if you change IP address while logged in.
So you have to login again, what's the big deal?

I'll add that those very same websites will interrupt my
browser session that I take from my home office to the
airport and later to the hotel.

Darren

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
David Young
2013-02-03 22:51:54 UTC
Permalink
Post by i***@netbsd.org
Post by Darren Reed
I wonder if focusing on addresses is the correct thing to do.
Should we in fact be focusing on network interfaces instead?
No. At least that's a different problem.
We started talking about multiple addresses on the same LAN, some being
randomized and only intended for pseudonymous access to untrusted peers.
The desire is to have an application tell it doesn't want to use them;
think address-authorized lpr or nfs.
What about being able to give an address a "metric" that enabled
a sorting order for address selection?
# ifconfig bge0 alias 192.168.1.1 netmask 255.255.255.0 weight 15
# ifconfig bge0 alais 10.1.1.1 netmask 255.255.252.0 weight 50
You can set an address preference using ifconfig, but it is only
considered by the kernel if you set 'options IPSELSRC' in your kernel.
'options IPSELSRC' contains solutions to some of the problems mentioned
in this thread. See in_getifa(9).

I forgot to document the 'preference' keyword in ifconfig(8) and I think
that a PR recently may have been filed on that.

It would be nice if one could create more than one source-selection
policy and select one for the default global policy, a default for
a particular interface, a default for a process and its descendants,
and so on.

BTW, 'options IPSELSRC' is not enabled by default because it will
override a route's preferred source address set using 'route add ...
-ifa ...' and that's not desirable. One day I will fix that, but it
requires messing some with routing code and in order to mess with
routing code one has to decipher it, no easy feat. :-) Also, I have
found that it is useful to select a source address because it is on the
same local subnet as the destination, but the implementation doesn't yet
allow for that because no routing entry is passed to in_getifa().

Dave
--
David Young
***@pobox.com Urbana, IL (217) 721-9981

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...