slaacd: Reduce maximum IPv6 PIO lifetimes

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

slaacd: Reduce maximum IPv6 PIO lifetimes

Fernando Gont-2
Folks/Florian,

This reduces the maximum PIO lifetimes on the host-side, as discussed in
https://tools.ietf.org/html/draft-gont-6man-slaac-renum-05#section-4.1.2

This helps improve the reaction of IPv6 SLAAC to renumbering events, and
also helps limit the time-span of damage in the event of attacks or
misconfigurations.


--- cut here ----
diff --git engine.c engine.c
index be5d3fc827b..fbf53f83936 100644
--- engine.c
+++ engine.c
@@ -1266,8 +1266,10 @@ parse_ra(struct slaacd_iface *iface, struct
imsg_ra *ra)
     ND_OPT_PI_FLAG_ONLINK;
  prefix->autonomous = prf->nd_opt_pi_flags_reserved &
     ND_OPT_PI_FLAG_AUTO;
- prefix->vltime = ntohl(prf->nd_opt_pi_valid_time);
- prefix->pltime = ntohl(prf->nd_opt_pi_preferred_time);
+ prefix->pltime = min(radv->router_lifetime,
+                 ntohl(prf->nd_opt_pi_preferred_time));
+ prefix->vltime = min(ntohl(prf->nd_opt_pi_valid_time),
+                 DFLT_VLTIME_MULT * prefix->pltime);
  if (radv->min_lifetime > prefix->pltime)
  radv->min_lifetime = prefix->pltime;

diff --git engine.h engine.h
index b0276e71406..0d44b251adb 100644
--- engine.h
+++ engine.h
@@ -34,3 +34,5 @@ struct imsg_configure_dfr {

  void engine(int, int);
  int engine_imsg_compose_frontend(int, pid_t, void *, uint16_t);
+
+#define min(a,b) ((a < b)?a:b)
diff --git slaacd.h slaacd.h
index d8e15d00aad..ad399a5ff22 100644
--- slaacd.h
+++ slaacd.h
@@ -31,6 +31,8 @@

  #define IMSG_DATA_SIZE(imsg) ((imsg).hdr.len - IMSG_HEADER_SIZE)

+#define DFLT_VLTIME_MULT 48
+
  static const char * const log_procnames[] = {
  "main",
  "engine",

---- cut here ----

Also available at:
https://www.gont.com.ar/code/patch-fgont-slaacd-max-lifetimes.txt

Thanks,
--
Fernando Gont
e-mail: [hidden email] || [hidden email]
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1



Reply | Threaded
Open this post in threaded view
|

Re: slaacd: Reduce maximum IPv6 PIO lifetimes

Florian Obser-2
I do like the limiting of pltime to router lifetime, the factor of 48
though. I don't know it seems like pulled out of thin air or to make
the math work out to 1 day.

I'm not fundamentally opposed to it and I'm fine with this going in if
the draft is accepted or if it's clear that there is going to be WG
concensus. Meaning we don't have to wait for this becoming and RFC.
I'm currently not up2date on what's going on on the list. What's the
state of this? I will also do a bit more reading on my own.

I would write it like this, not yet tested.

diff --git engine.c engine.c
index 8f2c4297225..30462e19dbb 100644
--- engine.c
+++ engine.c
@@ -91,6 +91,13 @@
 #define ND6_PRIV_VALID_LIFETIME 172800 /* 2 days */
 #define ND6_PRIV_PREFERRED_LIFETIME 86400 /* 1 day */
 
+/* derive valid from prefered lifetime (draft-gont-6man-slaac-renum) */
+#define VLTIME_FROM_PLTIME_FACTOR 48
+
+#ifndef MIN
+#define MIN(_a,_b) ((_a) < (_b) ? (_a) : (_b))
+#endif
+
 enum if_state {
  IF_DOWN,
  IF_DELAY,
@@ -1271,8 +1278,10 @@ parse_ra(struct slaacd_iface *iface, struct imsg_ra *ra)
     ND_OPT_PI_FLAG_ONLINK;
  prefix->autonomous = prf->nd_opt_pi_flags_reserved &
     ND_OPT_PI_FLAG_AUTO;
- prefix->vltime = ntohl(prf->nd_opt_pi_valid_time);
- prefix->pltime = ntohl(prf->nd_opt_pi_preferred_time);
+ prefix->pltime = MIN(radv->router_lifetime,
+    ntohl(prf->nd_opt_pi_preferred_time));
+ prefix->vltime = MIN(ntohl(prf->nd_opt_pi_valid_time),
+    VLTIME_FROM_PLTIME_FACTOR * prefix->pltime);
  if (radv->min_lifetime > prefix->pltime)
  radv->min_lifetime = prefix->pltime;
 


On Mon, Mar 23, 2020 at 04:47:39AM -0300, Fernando Gont wrote:

> Folks/Florian,
>
> This reduces the maximum PIO lifetimes on the host-side, as discussed in
> https://tools.ietf.org/html/draft-gont-6man-slaac-renum-05#section-4.1.2
>
> This helps improve the reaction of IPv6 SLAAC to renumbering events, and
> also helps limit the time-span of damage in the event of attacks or
> misconfigurations.
>
>
> --- cut here ----
> diff --git engine.c engine.c
> index be5d3fc827b..fbf53f83936 100644
> --- engine.c
> +++ engine.c
> @@ -1266,8 +1266,10 @@ parse_ra(struct slaacd_iface *iface, struct imsg_ra
> *ra)
>      ND_OPT_PI_FLAG_ONLINK;
>   prefix->autonomous = prf->nd_opt_pi_flags_reserved &
>      ND_OPT_PI_FLAG_AUTO;
> - prefix->vltime = ntohl(prf->nd_opt_pi_valid_time);
> - prefix->pltime = ntohl(prf->nd_opt_pi_preferred_time);
> + prefix->pltime = min(radv->router_lifetime,
> +                 ntohl(prf->nd_opt_pi_preferred_time));
> + prefix->vltime = min(ntohl(prf->nd_opt_pi_valid_time),
> +                 DFLT_VLTIME_MULT * prefix->pltime);
>   if (radv->min_lifetime > prefix->pltime)
>   radv->min_lifetime = prefix->pltime;
>
> diff --git engine.h engine.h
> index b0276e71406..0d44b251adb 100644
> --- engine.h
> +++ engine.h
> @@ -34,3 +34,5 @@ struct imsg_configure_dfr {
>
>  void engine(int, int);
>  int engine_imsg_compose_frontend(int, pid_t, void *, uint16_t);
> +
> +#define min(a,b) ((a < b)?a:b)
> diff --git slaacd.h slaacd.h
> index d8e15d00aad..ad399a5ff22 100644
> --- slaacd.h
> +++ slaacd.h
> @@ -31,6 +31,8 @@
>
>  #define IMSG_DATA_SIZE(imsg) ((imsg).hdr.len - IMSG_HEADER_SIZE)
>
> +#define DFLT_VLTIME_MULT 48
> +
>  static const char * const log_procnames[] = {
>   "main",
>   "engine",
>
> ---- cut here ----
>
> Also available at:
> https://www.gont.com.ar/code/patch-fgont-slaacd-max-lifetimes.txt
>
> Thanks,
> --
> Fernando Gont
> e-mail: [hidden email] || [hidden email]
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: slaacd: Reduce maximum IPv6 PIO lifetimes

Theo de Raadt-2
+#ifndef MIN
+#define        MIN(_a,_b) ((_a) < (_b) ? (_a) : (_b))

Please use MINIMUM() for the name, as elsewhere.  You also don't need the _.

Reply | Threaded
Open this post in threaded view
|

Re: slaacd: Reduce maximum IPv6 PIO lifetimes

Fernando Gont-2
In reply to this post by Florian Obser-2
On 27/3/20 15:21, Florian Obser wrote:
> I do like the limiting of pltime to router lifetime, the factor of 48
> though. I don't know it seems like pulled out of thin air or to make
> the math work out to 1 day.

It was made out so that vltime would be one day. To be honest, I believe
that it could and should be smaller than thay (say, 2*pltime) -- at the
end of the day:

* For ongoing sessions, TCP and such would nevertheless time out

* If the concern is local communications:
   1) One could set only ULAs to this long lifetime, and normal GUAs to
      something shorter
   2) And anyway, for local link communications, you have link-local
      addresses

But I ended up setting it to 48 * Router Lifetime because some IETF wg
participants were a bit scared.  So I opted for this conservative
choice... the multiplier can always be changed later.



> I'm not fundamentally opposed to it and I'm fine with this going in if
> the draft is accepted or if it's clear that there is going to be WG
> concensus. Meaning we don't have to wait for this becoming and RFC.
> I'm currently not up2date on what's going on on the list. What's the
> state of this? I will also do a bit more reading on my own.

The topic has been discussed for about a year. There seemed to be
consensus about reducing the defaults. For instance, one of the original
authors of the ND spec noted that the current values are just insane,
and the PIO lifetimes should be small (like the ones in my draft).
I'm supposed to present this stuff at the next 6man meeting. 6man is
generally a pain (it took me over 6 years to replace the traditional
SLAAC IIDs with RFC7217, via RFC8064).

The problem, and the need to do something, has been acknowledged: the
v6ops wg already accepted the problem statement I-D:
https://tools.ietf.org/html/draft-ietf-v6ops-slaac-renum-01

The problem can even happen accidentally if you e.g. configure rad(8),
realize that made a typo, kill the daemon, change the config, and
restart the daemon. -- the old prefix would live there for a loooong time.

Thanks,
--
Fernando Gont
e-mail: [hidden email] || [hidden email]
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1



Reply | Threaded
Open this post in threaded view
|

Re: slaacd: Reduce maximum IPv6 PIO lifetimes

Florian Obser-2
In reply to this post by Theo de Raadt-2
On Fri, Mar 27, 2020 at 12:24:27PM -0600, Theo de Raadt wrote:
> +#ifndef MIN
> +#define        MIN(_a,_b) ((_a) < (_b) ? (_a) : (_b))
>
> Please use MINIMUM() for the name, as elsewhere.  You also don't need the _.
>

diff --git engine.c engine.c
index 8f2c4297225..f461708af77 100644
--- engine.c
+++ engine.c
@@ -91,6 +91,11 @@
 #define ND6_PRIV_VALID_LIFETIME 172800 /* 2 days */
 #define ND6_PRIV_PREFERRED_LIFETIME 86400 /* 1 day */
 
+/* derive valid from prefered lifetime (draft-gont-6man-slaac-renum) */
+#define VLTIME_FROM_PLTIME_FACTOR 48
+
+#define MINIMUM(a, b) ((a) < (b) ? (a) : (b))
+
 enum if_state {
  IF_DOWN,
  IF_DELAY,
@@ -1271,8 +1276,11 @@ parse_ra(struct slaacd_iface *iface, struct imsg_ra *ra)
     ND_OPT_PI_FLAG_ONLINK;
  prefix->autonomous = prf->nd_opt_pi_flags_reserved &
     ND_OPT_PI_FLAG_AUTO;
- prefix->vltime = ntohl(prf->nd_opt_pi_valid_time);
- prefix->pltime = ntohl(prf->nd_opt_pi_preferred_time);
+ prefix->pltime = MINIMUM(radv->router_lifetime,
+    ntohl(prf->nd_opt_pi_preferred_time));
+ prefix->vltime =
+    MINIMUM(ntohl(prf->nd_opt_pi_valid_time),
+    VLTIME_FROM_PLTIME_FACTOR * prefix->pltime);
  if (radv->min_lifetime > prefix->pltime)
  radv->min_lifetime = prefix->pltime;
 


--
I'm not entirely sure you are real.