I do like the limiting of pltime to router lifetime, the factor of 48
though. I don't know it seems like pulled out of thin air or to make
the math work out to 1 day.
I'm not fundamentally opposed to it and I'm fine with this going in if
the draft is accepted or if it's clear that there is going to be WG
concensus. Meaning we don't have to wait for this becoming and RFC.
I'm currently not up2date on what's going on on the list. What's the
state of this? I will also do a bit more reading on my own.
I would write it like this, not yet tested.
diff --git engine.c engine.c
index 8f2c4297225..30462e19dbb 100644
--- engine.c
+++ engine.c
@@ -91,6 +91,13 @@
#define ND6_PRIV_VALID_LIFETIME 172800 /* 2 days */
#define ND6_PRIV_PREFERRED_LIFETIME 86400 /* 1 day */
+/* derive valid from prefered lifetime (draft-gont-6man-slaac-renum) */
+#define VLTIME_FROM_PLTIME_FACTOR 48
+
+#ifndef MIN
+#define MIN(_a,_b) ((_a) < (_b) ? (_a) : (_b))
+#endif
+
enum if_state {
IF_DOWN,
IF_DELAY,
@@ -1271,8 +1278,10 @@ parse_ra(struct slaacd_iface *iface, struct imsg_ra *ra)
ND_OPT_PI_FLAG_ONLINK;
prefix->autonomous = prf->nd_opt_pi_flags_reserved &
ND_OPT_PI_FLAG_AUTO;
- prefix->vltime = ntohl(prf->nd_opt_pi_valid_time);
- prefix->pltime = ntohl(prf->nd_opt_pi_preferred_time);
+ prefix->pltime = MIN(radv->router_lifetime,
+ ntohl(prf->nd_opt_pi_preferred_time));
+ prefix->vltime = MIN(ntohl(prf->nd_opt_pi_valid_time),
+ VLTIME_FROM_PLTIME_FACTOR * prefix->pltime);
if (radv->min_lifetime > prefix->pltime)
radv->min_lifetime = prefix->pltime;
On Mon, Mar 23, 2020 at 04:47:39AM -0300, Fernando Gont wrote:
> Folks/Florian,
>
> This reduces the maximum PIO lifetimes on the host-side, as discussed in
> https://tools.ietf.org/html/draft-gont-6man-slaac-renum-05#section-4.1.2
>
> This helps improve the reaction of IPv6 SLAAC to renumbering events, and
> also helps limit the time-span of damage in the event of attacks or
> misconfigurations.
>
>
> --- cut here ----
> diff --git engine.c engine.c
> index be5d3fc827b..fbf53f83936 100644
> --- engine.c
> +++ engine.c
> @@ -1266,8 +1266,10 @@ parse_ra(struct slaacd_iface *iface, struct imsg_ra
> *ra)
> ND_OPT_PI_FLAG_ONLINK;
> prefix->autonomous = prf->nd_opt_pi_flags_reserved &
> ND_OPT_PI_FLAG_AUTO;
> - prefix->vltime = ntohl(prf->nd_opt_pi_valid_time);
> - prefix->pltime = ntohl(prf->nd_opt_pi_preferred_time);
> + prefix->pltime = min(radv->router_lifetime,
> + ntohl(prf->nd_opt_pi_preferred_time));
> + prefix->vltime = min(ntohl(prf->nd_opt_pi_valid_time),
> + DFLT_VLTIME_MULT * prefix->pltime);
> if (radv->min_lifetime > prefix->pltime)
> radv->min_lifetime = prefix->pltime;
>
> diff --git engine.h engine.h
> index b0276e71406..0d44b251adb 100644
> --- engine.h
> +++ engine.h
> @@ -34,3 +34,5 @@ struct imsg_configure_dfr {
>
> void engine(int, int);
> int engine_imsg_compose_frontend(int, pid_t, void *, uint16_t);
> +
> +#define min(a,b) ((a < b)?a:b)
> diff --git slaacd.h slaacd.h
> index d8e15d00aad..ad399a5ff22 100644
> --- slaacd.h
> +++ slaacd.h
> @@ -31,6 +31,8 @@
>
> #define IMSG_DATA_SIZE(imsg) ((imsg).hdr.len - IMSG_HEADER_SIZE)
>
> +#define DFLT_VLTIME_MULT 48
> +
> static const char * const log_procnames[] = {
> "main",
> "engine",
>
> ---- cut here ----
>
> Also available at:
> https://www.gont.com.ar/code/patch-fgont-slaacd-max-lifetimes.txt
>
> Thanks,
> --
> Fernando Gont
> e-mail: ferna...@gont.com.ar || fg...@si6networks.com
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
--
I'm not entirely sure you are real.
