Folks/Florian,
This reduces the maximum PIO lifetimes on the host-side, as discussed in
https://tools.ietf.org/html/draft-gont-6man-slaac-renum-05#section-4.1.2
This helps improve the reaction of IPv6 SLAAC to renumbering events, and
also helps limit the time-span of damage in the event of attacks or
misconfigurations.
--- cut here ----
diff --git engine.c engine.c
index be5d3fc827b..fbf53f83936 100644
--- engine.c
+++ engine.c
@@ -1266,8 +1266,10 @@ parse_ra(struct slaacd_iface *iface, struct
imsg_ra *ra)
ND_OPT_PI_FLAG_ONLINK;
prefix->autonomous = prf->nd_opt_pi_flags_reserved &
ND_OPT_PI_FLAG_AUTO;
- prefix->vltime = ntohl(prf->nd_opt_pi_valid_time);
- prefix->pltime = ntohl(prf->nd_opt_pi_preferred_time);
+ prefix->pltime = min(radv->router_lifetime,
+ ntohl(prf->nd_opt_pi_preferred_time));
+ prefix->vltime = min(ntohl(prf->nd_opt_pi_valid_time),
+ DFLT_VLTIME_MULT * prefix->pltime);
if (radv->min_lifetime > prefix->pltime)
radv->min_lifetime = prefix->pltime;
diff --git engine.h engine.h
index b0276e71406..0d44b251adb 100644
--- engine.h
+++ engine.h
@@ -34,3 +34,5 @@ struct imsg_configure_dfr {
void engine(int, int);
int engine_imsg_compose_frontend(int, pid_t, void *, uint16_t);
+
+#define min(a,b) ((a < b)?a:b)
diff --git slaacd.h slaacd.h
index d8e15d00aad..ad399a5ff22 100644
--- slaacd.h
+++ slaacd.h
@@ -31,6 +31,8 @@
#define IMSG_DATA_SIZE(imsg) ((imsg).hdr.len - IMSG_HEADER_SIZE)
+#define DFLT_VLTIME_MULT 48
+
static const char * const log_procnames[] = {
"main",
"engine",
---- cut here ----
Also available at:
https://www.gont.com.ar/code/patch-fgont-slaacd-max-lifetimes.txt
Thanks,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
