On Mon, Mar 12, 2018 at 04:05:00PM +0100, Sebastien Marie wrote:
> On Mon, Mar 12, 2018 at 03:26:12PM +0100, Florian Obser wrote:
> > On Mon, Mar 12, 2018 at 11:12:51AM +0100, Sebastien Marie wrote:
> > > Hi,
> > >
> > > I upgraded several hosts (i386 and amd64) and the stable ipv6 address
> > > generated using soii (Semantically Opaque Interface Identifiers)
> > > changed... (which is relatively annoying as I mostly use ipv6 on my
> > > local network per default but there are double-stack hosts, so I was
> > > still able to connect to them).
> >
> > It's rev 1.22 of slaacd/engine.c.
>
> hep. reverting to 1.21 makes the old SOII address to come back, so I
> confirm it is the origin of the change. I was searching in kernel code,
> not in userland.
>
> > I didn't have time for any intensive staring at the code, yet. The
> > address should not have changed. And I though I checked that before
> > ok'ing phessler's change. Sorry. Your address will change once more :(
>
> no problem. I mostly use ipv6 locally for catching such breakage :)
>
> thanks.
> --
> Sebastien Marie
>
So the address will change once more to a different address, not to the
old one.
original rfc 7217 implementation:
511 447 383 127 63 0
+-+-[...]-+-+-[...]-+-+-[...]-+-+-[...]-+-+-[...]-+-+
| 512 bit sha512 digest |
+-+-[...]-+-+-[...]-+-+-[...]-+-+-[...]-+-+-[...]-+-+
127 63 0
+-+-[...]-+-+-[...]-+-+
| IPv6 address |
+-+-[...]-+-+-[...]-+-+
after phessler's change (i.e. rev 1.22 of engine.c)
511 447 383 127 63 0
+-+-[...]-+-+-[...]-+-+-[...]-+-+-[...]-+-+-[...]-+-+
| 512 bit sha512 digest |
+-+-[...]-+-+-[...]-+-+-[...]-+-+-[...]-+-+-[...]-+-+
127 63 0
+-+-[...]-+-+-[...]-+
| IPv6 address |
+-+-[...]-+-+-[...]-+
In section 5, page 9 RFC 7217 states:
2. The Interface Identifier is finally obtained by taking as many
bits from the RID value (computed in the previous step) as
necessary, starting from the least significant bit.
So it should have looked like:
511 447 383 127 63 0
+-+-[...]-+-+-[...]-+-+-[...]-+-+-[...]-+-+-[...]-+-+
| 512 bit sha512 digest |
+-+-[...]-+-+-[...]-+-+-[...]-+-+-[...]-+-+-[...]-+-+
127 63 0
+-+-+-[...]-+-+-[...]-+-+
| IPv6 address |
+-+-+-[...]-+-+-[...]-+-+
While it doesn't really matter, now is the right time to change it one
last time. I don't see a reason to be different here. Even though it's
not needed for interop. The RFC is not specific enough that one could
expect to move from one implementation to another and get the same
IPs, but still...
OK? (I shall come up with a better entry for current.html this time
around)
p.s. if I had originally copied the correct part of the digest the
address would not have changed in rev 1.22.
diff --git sbin/slaacd/engine.c sbin/slaacd/engine.c
index f473e3d0b80..e41a7c31751 100644
--- sbin/slaacd/engine.c
+++ sbin/slaacd/engine.c
@@ -1239,6 +1239,8 @@ gen_addr(struct slaacd_iface *iface, struct radv_prefix
*prefix, struct
int dad_counter = 0; /* XXX not used */
u_int8_t digest[SHA512_DIGEST_LENGTH];
+ memset(&iid, 0, sizeof(iid));
+
/* from in6_ifadd() in nd6_rtr.c */
/* XXX from in6.h, guarded by #ifdef _KERNEL XXX nonstandard */
#define s6_addr32 __u6_addr.__u6_addr32
@@ -1275,7 +1277,8 @@ gen_addr(struct slaacd_iface *iface, struct radv_prefix
*prefix, struct
sizeof(addr_proposal->soiikey));
SHA512Final(digest, &ctx);
- memcpy(&iid.s6_addr, digest, sizeof(iid.s6_addr));
+ memcpy(&iid.s6_addr, digest + (sizeof(digest) -
+ sizeof(iid.s6_addr)), sizeof(iid.s6_addr));
} else {
/* This is safe, because we have a 64 prefix len */
memcpy(&iid.s6_addr, &iface->ll_address.sin6_addr,
diff --git sys/netinet6/in6_ifattach.c sys/netinet6/in6_ifattach.c
index 0aa10fad94b..e2a4ab1dd92 100644
--- sys/netinet6/in6_ifattach.c
+++ sys/netinet6/in6_ifattach.c
@@ -244,7 +244,7 @@ in6_get_soii_ifid(struct ifnet *ifp, struct in6_addr *in6)
SHA512Update(&ctx, ip6_soiikey, sizeof(ip6_soiikey));
SHA512Final(digest, &ctx);
- bcopy(digest, &in6->s6_addr[8], 8);
+ bcopy(digest + (sizeof(digest) - 8), &in6->s6_addr[8], 8);
return 0;
}
--
I'm not entirely sure you are real.
