next try
- sha512
- fixed key size
- /etc/soii.key
- man page tweaks from sthen & jmc and rewording by me to get rid of 48 bits
- link local address is updated when soii flag is toggled
If this is the final version I can cut up the diff and send parts if
people prefer. But I also take OKs for the big one :)
diff --git etc/rc etc/rc
index 48e5671335f..47dc78362c2 100644
--- etc/rc
+++ etc/rc
@@ -47,6 +47,14 @@ update_limit() {
done
}
+# Apply soii.key settings.
+soii_key() {
+ stripcom /etc/soii.key |
+ while read _line; do
+ sysctl -q "net.inet6.ip6.soiikey=$_line"
+ done
+}
+
# Apply sysctl.conf(5) settings.
sysctl_conf() {
stripcom /etc/sysctl.conf |
@@ -60,6 +68,7 @@ sysctl_conf() {
update_limit -n openfiles;;
esac
done
+ soii_key
}
# Apply mixerctl.conf(5) settings.
@@ -154,6 +163,11 @@ make_keys() {
fi
ssh-keygen -A
+
+ if [[ ! -f /etc/soii.key ]]; then
+ openssl rand -hex 16 > /etc/soii.key && \
+ chmod 600 /etc/soii.key && soii_key
+ fi
}
# Re-link libraries, placing the objects in a random order.
diff --git sbin/ifconfig/brconfig.h sbin/ifconfig/brconfig.h
index ee68feb411b..09c871b352b 100644
--- sbin/ifconfig/brconfig.h
+++ sbin/ifconfig/brconfig.h
@@ -73,7 +73,7 @@ void switch_portno(const char *, const char *);
"\024\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6NOTRAILERS" \
"\7RUNNING\10NOARP\11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX"\
"\15LINK0\16LINK1\17LINK2\20MULTICAST" \
- "\23INET6_NOPRIVACY\24MPLS\25WOL\26AUTOCONF6"
+ "\23INET6_NOPRIVACY\24MPLS\25WOL\26AUTOCONF6\27INET6_NOSOII"
void printb(char *, unsigned int, unsigned char *);
diff --git sbin/ifconfig/ifconfig.8 sbin/ifconfig/ifconfig.8
index cac8eafc2cb..3f0dd8f373b 100644
--- sbin/ifconfig/ifconfig.8
+++ sbin/ifconfig/ifconfig.8
@@ -1070,6 +1070,7 @@ protocol when supported by the access point.
.Op Oo Fl Oc Ns Cm autoconfprivacy
.Op Cm eui64
.Op Cm pltime Ar n
+.Op Oo Fl Oc Ns Cm soii
.Op Oo Fl Oc Ns Cm tentative
.Op Cm vltime Ar n
.Ek
@@ -1127,6 +1128,22 @@ Fill the interface index
automatically.
.It Cm pltime Ar n
Set preferred lifetime for the address.
+.It Cm soii
+Enable persistent Semantically Opaque Interface Identifiers (SOIIs),
+as per RFC 7217, for link local and SLAAC addresses on the interface.
+The purpose of these identifiers is to make discovery of hosts by
+scanning a whole prefix more difficult.
+SOIIs use the whole 64 bits of the host part while SLAAC addresses are
+formed from MAC addresses which can lower the entropy to 24 bits if
+the host is running in a virtualization environment or the hardware
+manufacturer is known.
+See RFC 8064 for details.
+SOIIs are enabled by default.
+.It Cm -soii
+Disable IPv6 persistent Semantically Opaque Interface Identifiers on the
+interface.
+Currently configured addresses will not be removed until they become
+invalid.
.It Cm tentative
Set the IPv6 tentative address bit.
.It Cm -tentative
diff --git sbin/ifconfig/ifconfig.c sbin/ifconfig/ifconfig.c
index d99bcb34871..bd7ce506398 100644
--- sbin/ifconfig/ifconfig.c
+++ sbin/ifconfig/ifconfig.c
@@ -388,6 +388,8 @@ const structcmd {
{ "eui64", 0, 0, setia6eui64 },
{ "autoconfprivacy",-IFXF_INET6_NOPRIVACY, 0, setifxflags },
{ "-autoconfprivacy", IFXF_INET6_NOPRIVACY, 0, setifxflags },
+ { "soii", -IFXF_INET6_NOSOII, 0, setifxflags },
+ { "-soii", IFXF_INET6_NOSOII, 0, setifxflags },
#ifndef SMALL
{ "hwfeatures", NEXTARG0, 0, printifhwfeatures },
{ "metric", NEXTARG,0, setifmetric },
diff --git sbin/slaacd/engine.c sbin/slaacd/engine.c
index 394df48eeb6..5fecf6e8779 100644
--- sbin/slaacd/engine.c
+++ sbin/slaacd/engine.c
@@ -64,6 +64,8 @@
#include
#include
+#include
+
#include
#include
#include
@@ -180,6 +182,7 @@ struct address_proposal {
uint8_t prefix_len;
uint32_t vltime;
uint32_t pltime;
+ uint8_t soiikey[SLAACD_SOIIKEY_LEN];
};
struct dfr_proposal {
@@ -205,8 +208,10 @@ struct slaacd_iface {
uint32_t if_index;
int running;
int autoconfprivacy;
+ int soii;
struct ether_addrhw_address;
struct sockaddr_in6 ll_address;
+ uint8_t soiikey[SLAACD_SOIIKEY_LEN];
LIST_HEAD(, radv)radvs;
LIST_HEAD(, address_proposal)addr_proposals;
LIST_HEAD(, dfr_proposal)dfr_proposals;
@@ -615,12 +620,15 @@