Re: RFC 7217: random but stable addresses (take 3)

2017-07-19 Thread Stuart Henderson 
On 2017/07/19 06:34, Florian Obser wrote:
> I'm withdrawing the diff, it's not going to happen

Pity.

dhcpcd (in packages) does this if somebody needs an alternative way.

Re: RFC 7217: random but stable addresses (take 3)

2017-07-19 Thread Florian Obser 
I'm withdrawing the diff, it's not going to happen

-- 
I'm not entirely sure you are real.

Re: RFC 7217: random but stable addresses (take 3)

2017-07-15 Thread Florian Obser 
On Sat, Jul 15, 2017 at 06:58:40AM +0200, Sebastien Marie wrote:
> On Fri, Jul 14, 2017 at 11:56:02AM +, Florian Obser wrote:
> > next try
> > - sha512
> > - fixed key size
> > - /etc/soii.key
> > - man page tweaks from sthen & jmc and rewording by me to get rid of 48 bits
> > - link local address is updated when soii flag is toggled
> > 
> 
> Could /etc/soii.key be added to /etc/changelist too please ?

yes, good idea, thanks! added to my repo

> 
> Index: changelist
> ===
> RCS file: /cvs/src/etc/changelist,v
> retrieving revision 1.117
> diff -u -p -r1.117 changelist
> --- changelist3 May 2017 11:55:36 -   1.117
> +++ changelist15 Jul 2017 04:55:37 -
> @@ -115,6 +115,7 @@
>  /etc/services
>  /etc/shells
>  /etc/snmpd.conf
> ++/etc/soii.key
>  +/etc/spwd.db
>  /etc/ssh/ssh_config
>  +/etc/ssh/ssh_host_dsa_key
> 
> 
> Thanks.
> -- 
> Sebastien Marie
> 

-- 
I'm not entirely sure you are real.

Re: RFC 7217: random but stable addresses (take 3)

2017-07-14 Thread Sebastien Marie 
On Fri, Jul 14, 2017 at 11:56:02AM +, Florian Obser wrote:
> next try
> - sha512
> - fixed key size
> - /etc/soii.key
> - man page tweaks from sthen & jmc and rewording by me to get rid of 48 bits
> - link local address is updated when soii flag is toggled
> 

Could /etc/soii.key be added to /etc/changelist too please ?

Index: changelist
===
RCS file: /cvs/src/etc/changelist,v
retrieving revision 1.117
diff -u -p -r1.117 changelist
--- changelist  3 May 2017 11:55:36 -   1.117
+++ changelist  15 Jul 2017 04:55:37 -
@@ -115,6 +115,7 @@
 /etc/services
 /etc/shells
 /etc/snmpd.conf
++/etc/soii.key
 +/etc/spwd.db
 /etc/ssh/ssh_config
 +/etc/ssh/ssh_host_dsa_key


Thanks.
-- 
Sebastien Marie

Re: RFC 7217: random but stable addresses (take 3)

2017-07-14 Thread Christian Weisgerber 
On 2017-07-14, Florian Obser  wrote:

> --- etc/rc
> +++ etc/rc
> @@ -47,6 +47,14 @@ update_limit() {
>   done
>  }
>  
> +# Apply soii.key settings.
> +soii_key() {
> + stripcom /etc/soii.key |
> + while read _line; do
> + sysctl -q "net.inet6.ip6.soiikey=$_line"
> + done
> +}

I think this should move into netstart.
Currently, I can boot a machine into single-user mode and run
netstart  to configure an interface.  With the changes here, I
need to remember to manually load the soiikey first, otherwise I
end up with a different v6 address.

Also, since we agreed that it's just an opaque blob, we don't need to
treat it like a configuration file.

sysctl -q "net.inet6.ip6.soiikey=$(

Re: RFC 7217: random but stable addresses (take 3)

2017-07-14 Thread Robert Peichaer 
On Fri, Jul 14, 2017 at 11:56:02AM +, Florian Obser wrote:
> next try
> - sha512
> - fixed key size
> - /etc/soii.key
> - man page tweaks from sthen & jmc and rewording by me to get rid of 48 bits
> - link local address is updated when soii flag is toggled
> 
> If this is the final version I can cut up the diff and send parts if
> people prefer. But I also take OKs for the big one :)
> 
> diff --git etc/rc etc/rc
> index 48e5671335f..47dc78362c2 100644
> --- etc/rc
> +++ etc/rc
> @@ -47,6 +47,14 @@ update_limit() {
>   done
>  }
>  
> +# Apply soii.key settings.
> +soii_key() {
> + stripcom /etc/soii.key |
> + while read _line; do
> + sysctl -q "net.inet6.ip6.soiikey=$_line"
> + done
> +}
> +
>  # Apply sysctl.conf(5) settings.
>  sysctl_conf() {
>   stripcom /etc/sysctl.conf |
> @@ -60,6 +68,7 @@ sysctl_conf() {
>   update_limit -n openfiles;;
>   esac
>   done
> + soii_key
>  }
>  
>  # Apply mixerctl.conf(5) settings.
> @@ -154,6 +163,11 @@ make_keys() {
>   fi
>  
>   ssh-keygen -A
> +
> + if [[ ! -f /etc/soii.key ]]; then
> + openssl rand -hex 16 > /etc/soii.key && \
> + chmod 600 /etc/soii.key && soii_key
> + fi
>  }
>  
>  # Re-link libraries, placing the objects in a random order.

OK for the rc parts.

RFC 7217: random but stable addresses (take 3)

2017-07-14 Thread Florian Obser 
next try
- sha512
- fixed key size
- /etc/soii.key
- man page tweaks from sthen & jmc and rewording by me to get rid of 48 bits
- link local address is updated when soii flag is toggled

If this is the final version I can cut up the diff and send parts if
people prefer. But I also take OKs for the big one :)

diff --git etc/rc etc/rc
index 48e5671335f..47dc78362c2 100644
--- etc/rc
+++ etc/rc
@@ -47,6 +47,14 @@ update_limit() {
done
 }
 
+# Apply soii.key settings.
+soii_key() {
+   stripcom /etc/soii.key |
+   while read _line; do
+   sysctl -q "net.inet6.ip6.soiikey=$_line"
+   done
+}
+
 # Apply sysctl.conf(5) settings.
 sysctl_conf() {
stripcom /etc/sysctl.conf |
@@ -60,6 +68,7 @@ sysctl_conf() {
update_limit -n openfiles;;
esac
done
+   soii_key
 }
 
 # Apply mixerctl.conf(5) settings.
@@ -154,6 +163,11 @@ make_keys() {
fi
 
ssh-keygen -A
+
+   if [[ ! -f /etc/soii.key ]]; then
+   openssl rand -hex 16 > /etc/soii.key && \
+   chmod 600 /etc/soii.key && soii_key
+   fi
 }
 
 # Re-link libraries, placing the objects in a random order.
diff --git sbin/ifconfig/brconfig.h sbin/ifconfig/brconfig.h
index ee68feb411b..09c871b352b 100644
--- sbin/ifconfig/brconfig.h
+++ sbin/ifconfig/brconfig.h
@@ -73,7 +73,7 @@ void switch_portno(const char *, const char *);
"\024\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6NOTRAILERS" \
"\7RUNNING\10NOARP\11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX"\
"\15LINK0\16LINK1\17LINK2\20MULTICAST"  \
-   "\23INET6_NOPRIVACY\24MPLS\25WOL\26AUTOCONF6"
+   "\23INET6_NOPRIVACY\24MPLS\25WOL\26AUTOCONF6\27INET6_NOSOII"
 
 void printb(char *, unsigned int, unsigned char *);
 
diff --git sbin/ifconfig/ifconfig.8 sbin/ifconfig/ifconfig.8
index cac8eafc2cb..3f0dd8f373b 100644
--- sbin/ifconfig/ifconfig.8
+++ sbin/ifconfig/ifconfig.8
@@ -1070,6 +1070,7 @@ protocol when supported by the access point.
 .Op Oo Fl Oc Ns Cm autoconfprivacy
 .Op Cm eui64
 .Op Cm pltime Ar n
+.Op Oo Fl Oc Ns Cm soii
 .Op Oo Fl Oc Ns Cm tentative
 .Op Cm vltime Ar n
 .Ek
@@ -1127,6 +1128,22 @@ Fill the interface index
 automatically.
 .It Cm pltime Ar n
 Set preferred lifetime for the address.
+.It Cm soii
+Enable persistent Semantically Opaque Interface Identifiers (SOIIs),
+as per RFC 7217, for link local and SLAAC addresses on the interface.
+The purpose of these identifiers is to make discovery of hosts by
+scanning a whole prefix more difficult.
+SOIIs use the whole 64 bits of the host part while SLAAC addresses are
+formed from MAC addresses which can lower the entropy to 24 bits if
+the host is running in a virtualization environment or the hardware
+manufacturer is known.
+See RFC 8064 for details.
+SOIIs are enabled by default.
+.It Cm -soii
+Disable IPv6 persistent Semantically Opaque Interface Identifiers on the
+interface.
+Currently configured addresses will not be removed until they become
+invalid.
 .It Cm tentative
 Set the IPv6 tentative address bit.
 .It Cm -tentative
diff --git sbin/ifconfig/ifconfig.c sbin/ifconfig/ifconfig.c
index d99bcb34871..bd7ce506398 100644
--- sbin/ifconfig/ifconfig.c
+++ sbin/ifconfig/ifconfig.c
@@ -388,6 +388,8 @@ const structcmd {
{ "eui64",  0,  0,  setia6eui64 },
{ "autoconfprivacy",-IFXF_INET6_NOPRIVACY,  0,  setifxflags },
{ "-autoconfprivacy",   IFXF_INET6_NOPRIVACY,   0,  setifxflags },
+   { "soii",   -IFXF_INET6_NOSOII, 0,  setifxflags },
+   { "-soii",  IFXF_INET6_NOSOII,  0,  setifxflags },
 #ifndef SMALL
{ "hwfeatures", NEXTARG0,   0,  printifhwfeatures },
{ "metric", NEXTARG,0,  setifmetric },
diff --git sbin/slaacd/engine.c sbin/slaacd/engine.c
index 394df48eeb6..5fecf6e8779 100644
--- sbin/slaacd/engine.c
+++ sbin/slaacd/engine.c
@@ -64,6 +64,8 @@
 #include 
 #include 
 
+#include 
+
 #include 
 #include 
 #include 
@@ -180,6 +182,7 @@ struct address_proposal {
uint8_t  prefix_len;
uint32_t vltime;
uint32_t pltime;
+   uint8_t  soiikey[SLAACD_SOIIKEY_LEN];
 };
 
 struct dfr_proposal {
@@ -205,8 +208,10 @@ struct slaacd_iface {
uint32_t if_index;
int  running;
int  autoconfprivacy;
+   int  soii;
struct ether_addrhw_address;
struct sockaddr_in6  ll_address;
+   uint8_t  soiikey[SLAACD_SOIIKEY_LEN];
LIST_HEAD(, radv)radvs;
LIST_HEAD(, address_proposal)addr_proposals;
LIST_HEAD(, dfr_proposal)dfr_proposals;
@@ -615,12 +620,15 @@