* Todd T. Fries <t...@openbsd.org> [2014-05-15 06:29]:
> Penned by Henning Brauer on 20140514 22:48.16, we have:
> | * Reyk Flöter <reyk.floe...@googlemail.com> [2014-05-15 01:04]:
> | > > On 15.05.2014, at 00:46, Henning Brauer <lists-openbsdt...@bsws.de>
> wrote:
> | > > * Mark Kettenis <mark.kette...@xs4all.nl> [2014-05-15 00:15]:
> | > >> I don't think this is a good idea; didn't we establish the other day
> | > >> that "ifconfig <if> eui64" already did what your +inet6 does?
> | > > almost, it's ifconfig <if> inet6 eui64 - but that isn't all THAT
> | > > intuitive. I like +inet6 as the opposite of -inet6.
> | > We don't have "+" something. It is foo or -foo but not +foo. I know that
> inet6 is already used for the regular addresses, but +inet6 sounds like an
> inconsistent workaround for a workaround. I don't like it.
> |
> | just inet6 doesn't work, since that is already used to show all inet6
> | addrs.
> | i find +inet6 very intuitive...
> |
> | > To "enable IPv6" link-local I would rather prefer two options to put
> | > either "inet6 eui64" (or an alias like "inet6 link-local") or an actual
> | > inet6 address in your hostname.if. The latter should automatically
> | > remove the flag and enable the link-local address - does it work this
> | > way?
> |
> | as said many times, yes it does.
>
> I ack that it is a security risk to auto address interfaces without some admin
> action.
>
> The proposed solution seems sound, 'inet6 eui64' seems sane. In theory it
> should work, but I must be doing something wrong:
>
> # ifconfig vether0 create
> # ifconfig vether0 -inet6
> # ifconfig vether0 inet6 eui64
> ifconfig: could not determine link local address
eui64 by itself is NOT enough, this is why I have the 2 line change to
the eui64 handler in the diff for the +inet6 case. Making that
unconditional is trivial, I just don't think "inet6 eui64" is very
intuitive. see, I even think about the inet6 users.
> Once that works properly, I say we let the diff in and bikeshed if we
> truly need to invent more syntax ('+inet6') that is unlike anything else
> vs let the few of us that want this apparently obsecure case add 'inet6
> eui64' and be done with it.
>
> Aka, lets not hold up the rest of the functionality just because we
> can't agree if we need a further diff to make 'inet6 eui64'
> "better/faster/easier/another way to skin the cat"...
i couldn't agree more
> IMHO, its time to polish in the tree. This is, afterall, a _security_
> related diff, no?
i'd say so.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
