* Todd T. Fries <t...@openbsd.org> [2014-05-15 06:29]: > Penned by Henning Brauer on 20140514 22:48.16, we have: > | * Reyk Flöter <reyk.floe...@googlemail.com> [2014-05-15 01:04]: > | > > On 15.05.2014, at 00:46, Henning Brauer <lists-openbsdt...@bsws.de> > wrote: > | > > * Mark Kettenis <mark.kette...@xs4all.nl> [2014-05-15 00:15]: > | > >> I don't think this is a good idea; didn't we establish the other day > | > >> that "ifconfig <if> eui64" already did what your +inet6 does? > | > > almost, it's ifconfig <if> inet6 eui64 - but that isn't all THAT > | > > intuitive. I like +inet6 as the opposite of -inet6. > | > We don't have "+" something. It is foo or -foo but not +foo. I know that > inet6 is already used for the regular addresses, but +inet6 sounds like an > inconsistent workaround for a workaround. I don't like it. > | > | just inet6 doesn't work, since that is already used to show all inet6 > | addrs. > | i find +inet6 very intuitive... > | > | > To "enable IPv6" link-local I would rather prefer two options to put > | > either "inet6 eui64" (or an alias like "inet6 link-local") or an actual > | > inet6 address in your hostname.if. The latter should automatically > | > remove the flag and enable the link-local address - does it work this > | > way? > | > | as said many times, yes it does. > > I ack that it is a security risk to auto address interfaces without some admin > action. > > The proposed solution seems sound, 'inet6 eui64' seems sane. In theory it > should work, but I must be doing something wrong: > > # ifconfig vether0 create > # ifconfig vether0 -inet6 > # ifconfig vether0 inet6 eui64 > ifconfig: could not determine link local address
eui64 by itself is NOT enough, this is why I have the 2 line change to the eui64 handler in the diff for the +inet6 case. Making that unconditional is trivial, I just don't think "inet6 eui64" is very intuitive. see, I even think about the inet6 users. > Once that works properly, I say we let the diff in and bikeshed if we > truly need to invent more syntax ('+inet6') that is unlike anything else > vs let the few of us that want this apparently obsecure case add 'inet6 > eui64' and be done with it. > > Aka, lets not hold up the rest of the functionality just because we > can't agree if we need a further diff to make 'inet6 eui64' > "better/faster/easier/another way to skin the cat"... i couldn't agree more > IMHO, its time to polish in the tree. This is, afterall, a _security_ > related diff, no? i'd say so. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/