Re: [PATCH] Implement the upcoming RFC4941bis (IPv6 SLAAC temporary addresses/privacy extensions)

2020-04-03 Thread Bjoern A. Zeeb 

On 3 Apr 2020, at 1:55, Fernando Gont wrote:

Hi Fernando,

can you follow-up on 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245103 with your more 
complete patch so this is properly tracked?  I’ll be happy to deal 
with it the next days if no one else beats me to it.


/bz



Folks/Hiroki,

I've implemented the upcoming revision of RFC4941 
(https://tools.ietf.org/html/draft-ietf-6man-rfc4941bis-08) for 
FreeBSD.


The main changes are this:

* Reduce the Valid Lifetime from 1 week to 2 days. This effectively 
limits the number of concurrent temporary addresses per prefix to 2


* Use different interface-ids for each temporary address, to prevent 
correlation of network activity among temporary addresses 
corresponding to different prefixes.


P.S.: The patch is also available here: 




 cut here 
diff --git sys/netinet6/in6_ifattach.c sys/netinet6/in6_ifattach.c
index 91ef544d8b2..c093b53974a 100644
--- sys/netinet6/in6_ifattach.c
+++ sys/netinet6/in6_ifattach.c
@@ -87,7 +87,6 @@ VNET_DECLARE(struct inpcbinfo, ripcbinfo);
 #defineV_ripcbinfo VNET(ripcbinfo)

 static int get_rand_ifid(struct ifnet *, struct in6_addr *);
-static int generate_tmp_ifid(u_int8_t *, const u_int8_t *, u_int8_t 
*);
 static int get_ifid(struct ifnet *, struct ifnet *, struct in6_addr 
*);

 static int in6_ifattach_linklocal(struct ifnet *, struct ifnet *);
 static int in6_ifattach_loopback(struct ifnet *);
@@ -152,84 +151,6 @@ get_rand_ifid(struct ifnet *ifp, struct in6_addr 
*in6)

return 0;
 }

-static int
-generate_tmp_ifid(u_int8_t *seed0, const u_int8_t *seed1, u_int8_t 
*ret)

-{
-   MD5_CTX ctxt;
-   u_int8_t seed[16], digest[16], nullbuf[8];
-   u_int32_t val32;
-
-   /* If there's no history, start with a random seed. */
-   bzero(nullbuf, sizeof(nullbuf));
-   if (bcmp(nullbuf, seed0, sizeof(nullbuf)) == 0) {
-   int i;
-
-   for (i = 0; i < 2; i++) {
-   val32 = arc4random();
-   bcopy(&val32, seed + sizeof(val32) * i, sizeof(val32));
-   }
-   } else
-   bcopy(seed0, seed, 8);
-
-   /* copy the right-most 64-bits of the given address */
-   /* XXX assumption on the size of IFID */
-   bcopy(seed1, &seed[8], 8);
-
-   if (0) {/* for debugging purposes only */
-   int i;
-
-   printf("generate_tmp_ifid: new randomized ID from: ");
-   for (i = 0; i < 16; i++)
-   printf("%02x", seed[i]);
-   printf(" ");
-   }
-
-   /* generate 16 bytes of pseudo-random value. */
-   bzero(&ctxt, sizeof(ctxt));
-   MD5Init(&ctxt);
-   MD5Update(&ctxt, seed, sizeof(seed));
-   MD5Final(digest, &ctxt);
-
-   /*
-* RFC 3041 3.2.1. (3)
-* Take the left-most 64-bits of the MD5 digest and set bit 6 (the
-* left-most bit is numbered 0) to zero.
-*/
-   bcopy(digest, ret, 8);
-   ret[0] &= ~EUI64_UBIT;
-
-   /*
-* XXX: we'd like to ensure that the generated value is not zero
-* for simplicity.  If the caclculated digest happens to be zero,
-* use a random non-zero value as the last resort.
-*/
-   if (bcmp(nullbuf, ret, sizeof(nullbuf)) == 0) {
-   nd6log((LOG_INFO,
-   "generate_tmp_ifid: computed MD5 value is zero.\n"));
-
-   val32 = arc4random();
-   val32 = 1 + (val32 % (0x - 1));
-   }
-
-   /*
-* RFC 3041 3.2.1. (4)
-* Take the rightmost 64-bits of the MD5 digest and save them in
-* stable storage as the history value to be used in the next
-* iteration of the algorithm.
-*/
-   bcopy(&digest[8], seed0, 8);
-
-   if (0) {/* for debugging purposes only */
-   int i;
-
-   printf("to: ");
-   for (i = 0; i < 16; i++)
-   printf("%02x", digest[i]);
-   printf("\n");
-   }
-
-   return 0;
-}

 /*
  * Get interface identifier for the specified interface.
@@ -798,58 +719,15 @@ in6_ifdetach_destroy(struct ifnet *ifp)
_in6_ifdetach(ifp, 0);
 }

-int
-in6_get_tmpifid(struct ifnet *ifp, u_int8_t *retbuf,
-const u_int8_t *baseid, int generate)
-{
-   u_int8_t nullbuf[8];
-   struct nd_ifinfo *ndi = ND_IFINFO(ifp);
-
-   bzero(nullbuf, sizeof(nullbuf));
-   if (bcmp(ndi->randomid, nullbuf, sizeof(nullbuf)) == 0) {
-   /* we've never created a random ID.  Create a new one. */
-   generate = 1;
-   }
-
-   if (generate) {
-   bcopy(baseid, ndi->randomseed1, sizeof(ndi->randomseed1));
-
-   /* generate_tmp_ifid will update seedn and buf */
-   (void)generate_tmp_ifid(ndi->randomseed0, ndi->randomseed1,
-

[Bug 200319] Bridge+CARP crashes/freezes

2020-04-03 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200319

Palle Girgensohn  changed:

   What|Removed |Added

 CC||gir...@freebsd.org

--- Comment #23 from Palle Girgensohn  ---
This happens on 12.1-release as well, with netgraph instead of epair.

A setup with two physical jailhosts, each with multiple vnet jails all using
netgraph, and at least one jail on each machine using the same CARP IP address.
After downing the active CARP netgraph interface to let the BACKUP jail take
over, *both* machines stop accepting any network traffic on the interfaced
connected to the netgraph bridge. The only solution I could find was to reboot
both machines.

This is really problematic for us, since our idea is to use jails and vnet with
CARP to supply resilient services.

How can I help fint this problem and hopefully fix it?

-- 
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"