Re: NOINET6 by default
Henning Brauer lists-openbsdt...@bsws.de writes: since no consensus could be found yet for a new command line option to ifconfig, heck, not even about wether it is needed, I propose this for now. I didn't reply to your proposal but since you've just committed the ifconfig part, I think I should chime in. Our IPv6 support is far from perfect, from a usability point of view. For example people can't use RA on an uplink interface while having forwarding turned on. I've looked at the changes that would be needed, they are neither small nor huge, they just need a bit of thinking. Properly enabling or disabling IPv6 / link-local addressing on an interface would be part of those changes. FreeBSD has already made similar changes, and I think there are interesting bits that we should copy. More information here: http://www.freebsd.org/cgi/man.cgi?query=ifconfigapropos=0sektion=0manpath=FreeBSD+10.0-RELEASEarch=defaultformat=html (Search for ICMPv6 Neighbor Discovery Protocol) https://www.freebsd.org/releases/9.0R/relnotes-detailed.html#AEN1395 I'm volunteering for this job. I know that other people have already expressed interest in such a task. Can we please postpone ifp-if_xflags |= IFXF_NOINET6; until the situation is more clear? I think 5.6 is a safe bet. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: NOINET6 by default
j...@wxcvbn.org (Jérémie Courrèges-Anglas) writes: Henning Brauer lists-openbsdt...@bsws.de writes: since no consensus could be found yet for a new command line option to ifconfig, heck, not even about wether it is needed, I propose this for now. I didn't reply to your proposal but since you've just committed the ifconfig part and the kernel part. nevermind. [...] -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: NOINET6 by default
I'm volunteering for this job. I know that other people have already expressed interest in such a task. Can we please postpone ifp-if_xflags |= IFXF_NOINET6; until the situation is more clear? I think 5.6 is a safe bet. No. Apparently you are the only one who keeps postponing action, month after month, so NO.
Re: NOINET6 by default
Penned by Henning Brauer on 20140608 10:14.46, we have:
| since no consensus could be found yet for a new command line option to
| ifconfig, heck, not even about wether it is needed, I propose this for
| now.
|
| 1) make ifconfig if inet6 eui64 reset the NOINET6 flag
| unconditionally, so a link-local will be assigned if there isn't one
| yet.
|
| Index: sbin/ifconfig/ifconfig.c
| ===
| RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
| retrieving revision 1.283
| diff -u -p -r1.283 ifconfig.c
| --- sbin/ifconfig/ifconfig.c 12 May 2014 08:47:37 - 1.283
| +++ sbin/ifconfig/ifconfig.c 19 May 2014 00:27:07 -
| @@ -411,7 +411,7 @@ const struct cmd {
| { flowdst,NEXTARG,0, setpflow_receiver },
| { -flowdst, 1,0, unsetpflow_receiver },
| { pflowproto, NEXTARG,0, setpflowproto },
| - { -inet6, IFXF_NOINET6, 0, setifxflags } ,
| + { -inet6, IFXF_NOINET6, 0, setifxflags },
| { keepalive, NEXTARG2, 0, NULL, setkeepalive },
| { -keepalive, 1, 0, unsetkeepalive },
| { add,NEXTARG,0, bridge_add },
| @@ -1312,6 +1312,7 @@ setia6eui64(const char *cmd, int val)
|
| if (afp-af_af != AF_INET6)
| errx(1, %s not allowed for the AF, cmd);
| + setifxflags(inet6, -IFXF_NOINET6);
| in6 = (struct in6_addr *)in6_addreq.ifra_addr.sin6_addr;
| if (memcmp(in6addr_any.s6_addr[8], in6-s6_addr[8], 8) != 0)
| errx(1, interface index is already filled);
|
| 2) turn the NOINET6 flag on by default.
| As said previously, it will be reset and thus a link-local assigned
| transparently if either
| -rtsol(d) is run
| -an inet6 address is assigned
| -ifconfig if inet6 eui64 is run
| and thus should be entirely transparent for the vast majority of inet6
| users.
|
| Index: sys/net/if.c
| ===
| RCS file: /cvs/src/sys/net/if.c,v
| retrieving revision 1.289
| diff -u -p -r1.289 if.c
| --- sys/net/if.c 16 May 2014 08:21:54 - 1.289
| +++ sys/net/if.c 16 May 2014 14:15:24 -
| @@ -423,6 +423,9 @@ if_attach(struct ifnet *ifp)
| #else
| TAILQ_INSERT_TAIL(ifnet, ifp, if_list);
| #endif
| +#ifdef INET6
| + ifp-if_xflags |= IFXF_NOINET6;
| +#endif
|
| m_clinitifp(ifp);
|
| wether we need a less obscure ifconfig command than eui64 can be
| discussed after.
|
| oks?
ok todd@
--
Todd T. Fries . http://todd.fries.net/pgp.txt . @unix2mars . github:toddfries
Re: NOINET6 by default
since no consensus could be found yet for a new command line option to
ifconfig, heck, not even about wether it is needed, I propose this for
now.
1) make ifconfig if inet6 eui64 reset the NOINET6 flag
unconditionally, so a link-local will be assigned if there isn't one
yet.
Index: sbin/ifconfig/ifconfig.c
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.283
diff -u -p -r1.283 ifconfig.c
--- sbin/ifconfig/ifconfig.c12 May 2014 08:47:37 - 1.283
+++ sbin/ifconfig/ifconfig.c19 May 2014 00:27:07 -
@@ -411,7 +411,7 @@ const structcmd {
{ flowdst,NEXTARG,0, setpflow_receiver },
{ -flowdst, 1,0, unsetpflow_receiver },
{ pflowproto, NEXTARG,0, setpflowproto },
- { -inet6, IFXF_NOINET6, 0, setifxflags } ,
+ { -inet6, IFXF_NOINET6, 0, setifxflags },
{ keepalive, NEXTARG2, 0, NULL, setkeepalive },
{ -keepalive, 1, 0, unsetkeepalive },
{ add,NEXTARG,0, bridge_add },
@@ -1312,6 +1312,7 @@ setia6eui64(const char *cmd, int val)
if (afp-af_af != AF_INET6)
errx(1, %s not allowed for the AF, cmd);
+ setifxflags(inet6, -IFXF_NOINET6);
in6 = (struct in6_addr *)in6_addreq.ifra_addr.sin6_addr;
if (memcmp(in6addr_any.s6_addr[8], in6-s6_addr[8], 8) != 0)
errx(1, interface index is already filled);
2) turn the NOINET6 flag on by default.
As said previously, it will be reset and thus a link-local assigned
transparently if either
-rtsol(d) is run
-an inet6 address is assigned
-ifconfig if inet6 eui64 is run
and thus should be entirely transparent for the vast majority of inet6
users.
Index: sys/net/if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.289
diff -u -p -r1.289 if.c
--- sys/net/if.c16 May 2014 08:21:54 - 1.289
+++ sys/net/if.c16 May 2014 14:15:24 -
@@ -423,6 +423,9 @@ if_attach(struct ifnet *ifp)
#else
TAILQ_INSERT_TAIL(ifnet, ifp, if_list);
#endif
+#ifdef INET6
+ ifp-if_xflags |= IFXF_NOINET6;
+#endif
m_clinitifp(ifp);
wether we need a less obscure ifconfig command than eui64 can be
discussed after.
oks?
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
Re: NOINET6 by default
On 8 June 2014 11:14, Henning Brauer lists-openbsdt...@bsws.de wrote:
since no consensus could be found yet for a new command line option to
ifconfig, heck, not even about wether it is needed, I propose this for
now.
1) make ifconfig if inet6 eui64 reset the NOINET6 flag
unconditionally, so a link-local will be assigned if there isn't one
yet.
Index: sbin/ifconfig/ifconfig.c
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.283
diff -u -p -r1.283 ifconfig.c
--- sbin/ifconfig/ifconfig.c12 May 2014 08:47:37 - 1.283
+++ sbin/ifconfig/ifconfig.c19 May 2014 00:27:07 -
@@ -411,7 +411,7 @@ const structcmd {
{ flowdst,NEXTARG,0, setpflow_receiver },
{ -flowdst, 1,0, unsetpflow_receiver },
{ pflowproto, NEXTARG,0, setpflowproto },
- { -inet6, IFXF_NOINET6, 0, setifxflags } ,
+ { -inet6, IFXF_NOINET6, 0, setifxflags },
{ keepalive, NEXTARG2, 0, NULL, setkeepalive },
{ -keepalive, 1, 0, unsetkeepalive },
{ add,NEXTARG,0, bridge_add },
@@ -1312,6 +1312,7 @@ setia6eui64(const char *cmd, int val)
if (afp-af_af != AF_INET6)
errx(1, %s not allowed for the AF, cmd);
+ setifxflags(inet6, -IFXF_NOINET6);
in6 = (struct in6_addr *)in6_addreq.ifra_addr.sin6_addr;
if (memcmp(in6addr_any.s6_addr[8], in6-s6_addr[8], 8) != 0)
errx(1, interface index is already filled);
2) turn the NOINET6 flag on by default.
As said previously, it will be reset and thus a link-local assigned
transparently if either
-rtsol(d) is run
-an inet6 address is assigned
-ifconfig if inet6 eui64 is run
and thus should be entirely transparent for the vast majority of inet6
users.
Index: sys/net/if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.289
diff -u -p -r1.289 if.c
--- sys/net/if.c16 May 2014 08:21:54 - 1.289
+++ sys/net/if.c16 May 2014 14:15:24 -
@@ -423,6 +423,9 @@ if_attach(struct ifnet *ifp)
#else
TAILQ_INSERT_TAIL(ifnet, ifp, if_list);
#endif
+#ifdef INET6
+ ifp-if_xflags |= IFXF_NOINET6;
+#endif
m_clinitifp(ifp);
wether we need a less obscure ifconfig command than eui64 can be
discussed after.
oks?
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully
Managed
Henning Brauer Consulting, http://henningbrauer.com/
Works for me. ok krw@ for what it's worth.
Ken
Re: NOINET6 by default
* Mark Kettenis mark.kette...@xs4all.nl [2014-05-15 00:15]: I don't think this is a good idea; didn't we establish the other day that ifconfig if eui64 already did what your +inet6 does? almost, it's ifconfig if inet6 eui64 - but that isn't all THAT intuitive. I like +inet6 as the opposite of -inet6. I am rather late to the conversation. We don't have + something. It is foo or -foo but not +foo. I know that inet6 is already used for the regular addresses, but +inet6 sounds like an inconsistent workaround for a workaround. I don't like it. I agree. To enable IPv6 link-local I would rather prefer two options to put either inet6 eui64 (or an alias like inet6 link-local) or an actual inet6 address in your hostname.if. The latter should automatically remove the flag and enable the link-local address - does it work this way? I also agree. I do not like the word 'link-local', because it implies L2. What we are removing here is wire-local access via L3. I'd prefer to avoid the word local if we can... There is also a third path. That is to change the behaviour of 'ifconfig if proto', or more specifically of 'ifconfig if inet6'. But this will assuredly break someone's scripts...
Re: NOINET6 by default
On Fri, May 16, 2014 at 12:43:52AM -0500, Todd T. Fries wrote: Penned by Henning Brauer on 20140516 0:26.37, we have: | * Claudio Jeker cje...@diehard.n-r-g.com [2014-05-15 09:33]: | On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: | so as discussed recently having the inet6 link-local addrs on every | interface by default is stupid and a security risk. | | this diff fixes that. well, really two independent parts. | one: set the NOINET6 flag by default on each and every interface. | two: implement ifconfig if +inet6 to turn inet6 on and assign | the link-local addr. | | this should be transparent for almost all real use cases of inet6 | since assigning any inet6 address also resets the flag (and ll is | assigned then as well). | lo0 still gets it's ::1 and fe80::1%lo0 by default. | | the only use case that needs config adoption: people ONLY using | link-local, they will need to put +inet6 in the corresponding | hostname.if file. | | ok? | | To be honest the right fix would be to get rid of IFXF_NOINET6 and | just make it the default. There is no need for such a flag anymore. | | very valid point, I'll happily clean that up right after - one thing | at a time. When I travel between networks.. at home with rtsol capable networks .. and at e.g. a library that does not have native IPv6 .. I find it invaluable to 'zzz' then upon resume 'ifconfig wpi0 -inet6' for the library and then 'rtsol wpi0' at home. Just because the new default will be the equivalent of 'ifconfig wpi0 -inet6' until configured doesn't mean there isn't a use for clearing it later on as well. I wish there were an equivalent for IPv4, but at least dhclient clears the old address on 'ifconfig wpi0 down' ... I did not talk about -inet6 but about the kernel IFXF_NOINET6 flag. It is not needed to use a flag on the interface for this. Instead we handle it all when creating / removing IPv6 addresses on the interface. In the long run I would like to have a -inet as well so that you can remove all IPv4 addresses of an interface in a easy way. -- :wq Claudio
Re: NOINET6 by default
* Claudio Jeker cje...@diehard.n-r-g.com [2014-05-16 08:06]: On Fri, May 16, 2014 at 12:43:52AM -0500, Todd T. Fries wrote: When I travel between networks.. at home with rtsol capable networks .. and at e.g. a library that does not have native IPv6 .. I find it invaluable to 'zzz' then upon resume 'ifconfig wpi0 -inet6' for the library and then 'rtsol wpi0' at home. -inet6 stays no matter what, wether that does setifxflags IFXF_NOINET6 in the back or just removes all inet6 addrs is transparent to the user. how to add linklocal back without the flag is another question, need to come up with something in that case (that is definately not a hard problem tho), since eui64 effectively does nothing but whine if it cannot find a link-local... I did not talk about -inet6 but about the kernel IFXF_NOINET6 flag. It is not needed to use a flag on the interface for this. Instead we handle it all when creating / removing IPv6 addresses on the interface. yup. In the long run I would like to have a -inet as well so that you can remove all IPv4 addresses of an interface in a easy way. yeah, that makes sense. probably comes for free when implementing -inet6 without IFXF_NOINET6. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NOINET6 by default
On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote:
so as discussed recently having the inet6 link-local addrs on every
interface by default is stupid and a security risk.
this diff fixes that. well, really two independent parts.
one: set the NOINET6 flag by default on each and every interface.
two: implement ifconfig if +inet6 to turn inet6 on and assign
the link-local addr.
this should be transparent for almost all real use cases of inet6
since assigning any inet6 address also resets the flag (and ll is
assigned then as well).
lo0 still gets it's ::1 and fe80::1%lo0 by default.
the only use case that needs config adoption: people ONLY using
link-local, they will need to put +inet6 in the corresponding
hostname.if file.
ok?
To be honest the right fix would be to get rid of IFXF_NOINET6 and
just make it the default. There is no need for such a flag anymore.
Index: sys/net/if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.288
diff -u -p -r1.288 if.c
--- sys/net/if.c 13 May 2014 14:33:25 - 1.288
+++ sys/net/if.c 14 May 2014 21:03:45 -
@@ -429,6 +429,9 @@ if_attach(struct ifnet *ifp)
#else
TAILQ_INSERT_TAIL(ifnet, ifp, if_list);
#endif
+#ifdef INET6
+ ifp-if_xflags |= IFXF_NOINET6;
+#endif
m_clinitifp(ifp);
Index: sbin/ifconfig/ifconfig.8
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v
retrieving revision 1.241
diff -u -p -r1.241 ifconfig.8
--- sbin/ifconfig/ifconfig.8 22 Apr 2014 10:11:32 - 1.241
+++ sbin/ifconfig/ifconfig.8 13 May 2014 14:58:58 -
@@ -283,8 +283,12 @@ Disable
on the given interface and remove all configured
.Xr inet6 4
addresses, including the link-local ones.
-To turn it on again, assign any inet6 address or run
+To turn it on again, use +inet6, assign any inet6 address or run
.Xr rtsol 8 .
+.It +inet6
+Enable
+.Xr inet6 4
+and assign a link local address if the interface doesn't have one yet.
.It Cm instance Ar minst
Set the media instance to
.Ar minst .
Index: sbin/ifconfig/ifconfig.c
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.283
diff -u -p -r1.283 ifconfig.c
--- sbin/ifconfig/ifconfig.c 12 May 2014 08:47:37 - 1.283
+++ sbin/ifconfig/ifconfig.c 13 May 2014 14:56:25 -
@@ -412,6 +412,7 @@ const struct cmd {
{ -flowdst, 1,0, unsetpflow_receiver },
{ pflowproto, NEXTARG,0, setpflowproto },
{ -inet6, IFXF_NOINET6, 0, setifxflags } ,
+ { +inet6, 0, 0, setia6eui64 },
{ keepalive, NEXTARG2, 0, NULL, setkeepalive },
{ -keepalive, 1, 0, unsetkeepalive },
{ add,NEXTARG,0, bridge_add },
@@ -1310,7 +1311,9 @@ setia6eui64(const char *cmd, int val)
const struct in6_addr *lladdr = NULL;
struct in6_addr *in6;
- if (afp-af_af != AF_INET6)
+ if (!strcmp(cmd, +inet6))
+ setifxflags(inet6, -IFXF_NOINET6);
+ else if (afp-af_af != AF_INET6)
errx(1, %s not allowed for the AF, cmd);
in6 = (struct in6_addr *)in6_addreq.ifra_addr.sin6_addr;
if (memcmp(in6addr_any.s6_addr[8], in6-s6_addr[8], 8) != 0)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully
Managed
Henning Brauer Consulting, http://henningbrauer.com/
--
:wq Claudio
Re: NOINET6 by default
On Thu, May 15, 2014 at 05:48:16AM +0200, Henning Brauer wrote: * Reyk Flöter reyk.floe...@googlemail.com [2014-05-15 01:04]: On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de wrote: * Mark Kettenis mark.kette...@xs4all.nl [2014-05-15 00:15]: I don't think this is a good idea; didn't we establish the other day that ifconfig if eui64 already did what your +inet6 does? almost, it's ifconfig if inet6 eui64 - but that isn't all THAT intuitive. I like +inet6 as the opposite of -inet6. We don't have + something. It is foo or -foo but not +foo. I know that inet6 is already used for the regular addresses, but +inet6 sounds like an inconsistent workaround for a workaround. I don't like it. just inet6 doesn't work, since that is already used to show all inet6 addrs. i find +inet6 very intuitive... This should just die. Did you ever do ifconfig em0 inet or ifconfig em0 inet6? I never did and I have a few interfaces with a lot of IPs on them. It is a useless gimmick of ifconfig. To enable IPv6 link-local I would rather prefer two options to put either inet6 eui64 (or an alias like inet6 link-local) or an actual inet6 address in your hostname.if. The latter should automatically remove the flag and enable the link-local address - does it work this way? as said many times, yes it does. -- :wq Claudio
Re: NOINET6 by default
On 2014/05/15 09:41, Claudio Jeker wrote: On Thu, May 15, 2014 at 05:48:16AM +0200, Henning Brauer wrote: * Reyk Flöter reyk.floe...@googlemail.com [2014-05-15 01:04]: On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de wrote: * Mark Kettenis mark.kette...@xs4all.nl [2014-05-15 00:15]: I don't think this is a good idea; didn't we establish the other day that ifconfig if eui64 already did what your +inet6 does? almost, it's ifconfig if inet6 eui64 - but that isn't all THAT intuitive. I like +inet6 as the opposite of -inet6. We don't have + something. It is foo or -foo but not +foo. I know that inet6 is already used for the regular addresses, but +inet6 sounds like an inconsistent workaround for a workaround. I don't like it. just inet6 doesn't work, since that is already used to show all inet6 addrs. i find +inet6 very intuitive... This should just die. Did you ever do ifconfig em0 inet or ifconfig em0 inet6? I never did and I have a few interfaces with a lot of IPs on them. It is a useless gimmick of ifconfig. The only place I'm aware of it being used is ifconfig lo0 inet6 in netstart to check whether the kernel is built with v6 support.
Re: NOINET6 by default
On Thu, May 15, 2014 at 06:58:53AM +0200, Jérémie Courrèges-Anglas wrote: Paul de Weerd we...@weirdnet.nl writes: [...] This makes a whole lot of sense to me. Please make OpenBSD the first OS to do (this part of) v6 in a sensible way. Actually that makes me laugh. Sensible, weeeh. Let's protect our users from the dangers of IPv6 link-local addresses! Wait, what users are we talking about? We have no users, right, we have developers that break stuff, and other developers that clean up the feces. Between +inet6 and eui64 all we have are non-idiomatic or broken alternatives. Link-local addresses have been exposed since almost 15 years now, it's a good time to decide that they are persona non grata in OpenBSD land. After all, the v6 stack has had all the testing it could get, now that we know that it works well, we don't need testing anymore. What could be sensible, though, is accepting the fact that IPv6 exists, and the fact that link-local addresses are part of it, whether you have global connectivity or not. Now call me a v6 zealot, I probably live and work in an imaginary world. That reasoning would also leed to the conclusion that we should remove 'up' and 'down' from ifconfig. Since you have a network card installed and it is part of the system and should therefor be running. There is no need to install a link-local address on an interface just because it was up-ed. Would you like that we install link local IPv4 addresses on all interfaces? It would be possible. It would be ridiculous. Also not every interface needs a link-local address. It actually causes strange behaviours when bridge(4)-ing stuff together. This is why -inet6 was created as a hack around the fact that IPv6 is greedy taking over your network. It is time to replace the hack with a proper solution. -- :wq Claudio
Re: NOINET6 by default
On Thu, May 15, 2014 at 10:24:57AM +0200, Claudio Jeker wrote: On Thu, May 15, 2014 at 06:58:53AM +0200, J?r?mie Courr?ges-Anglas wrote: Paul de Weerd we...@weirdnet.nl writes: [...] This makes a whole lot of sense to me. Please make OpenBSD the first OS to do (this part of) v6 in a sensible way. Actually that makes me laugh. Sensible, weeeh. Let's protect our users from the dangers of IPv6 link-local addresses! Wait, what users are we talking about? We have no users, right, we have developers that break stuff, and other developers that clean up the feces. Between +inet6 and eui64 all we have are non-idiomatic or broken alternatives. Link-local addresses have been exposed since almost 15 years now, it's a good time to decide that they are persona non grata in OpenBSD land. After all, the v6 stack has had all the testing it could get, now that we know that it works well, we don't need testing anymore. What could be sensible, though, is accepting the fact that IPv6 exists, and the fact that link-local addresses are part of it, whether you have global connectivity or not. Now call me a v6 zealot, I probably live and work in an imaginary world. That reasoning would also leed to the conclusion that we should remove 'up' and 'down' from ifconfig. Since you have a network card installed and it is part of the system and should therefor be running. And by this argument it should be running IPX/SPX and NBF all the time as well. Why not run the line up/line down protocol too for backwards compatibility. There is no need to install a link-local address on an interface just because it was up-ed. But to be clear, it is supposedly required to have a link-local address if IPv6 is to be used on that interface, unless it is used as a bridge without it's own IP address. Would you like that we install link local IPv4 addresses on all interfaces? It would be possible. It would be ridiculous. It would be ridiculous, but somebody would find a use for it. Also not every interface needs a link-local address. It actually causes strange behaviours when bridge(4)-ing stuff together. This is why -inet6 was created as a hack around the fact that IPv6 is greedy taking over your network. Damn this IPv6 virus! Is IPv6 really just an evil plan by the sinister corporations and governments of the world to DDOS the entire internet, one OpenBSD box at a time? Let's face it, EBCDIC didn't cause enough confusion and headaches so let's try confusing people with IPv6, complete with IP addresses that look like an MD5 checksum gone wrong, and impossible to remember. It is time to replace the hack with a proper solution. IPv6 exists. It's useful. OpenBSD supports it very well. Do we need it enabled by default? No. -- Creamy! 3
Re: NOINET6 by default
* Todd T. Fries t...@openbsd.org [2014-05-15 06:29]:
Penned by Henning Brauer on 20140514 22:48.16, we have:
| * Reyk Flöter reyk.floe...@googlemail.com [2014-05-15 01:04]:
| On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de
wrote:
| * Mark Kettenis mark.kette...@xs4all.nl [2014-05-15 00:15]:
| I don't think this is a good idea; didn't we establish the other day
| that ifconfig if eui64 already did what your +inet6 does?
| almost, it's ifconfig if inet6 eui64 - but that isn't all THAT
| intuitive. I like +inet6 as the opposite of -inet6.
| We don't have + something. It is foo or -foo but not +foo. I know that
inet6 is already used for the regular addresses, but +inet6 sounds like an
inconsistent workaround for a workaround. I don't like it.
|
| just inet6 doesn't work, since that is already used to show all inet6
| addrs.
| i find +inet6 very intuitive...
|
| To enable IPv6 link-local I would rather prefer two options to put
| either inet6 eui64 (or an alias like inet6 link-local) or an actual
| inet6 address in your hostname.if. The latter should automatically
| remove the flag and enable the link-local address - does it work this
| way?
|
| as said many times, yes it does.
I ack that it is a security risk to auto address interfaces without some admin
action.
The proposed solution seems sound, 'inet6 eui64' seems sane. In theory it
should work, but I must be doing something wrong:
# ifconfig vether0 create
# ifconfig vether0 -inet6
# ifconfig vether0 inet6 eui64
ifconfig: could not determine link local address
eui64 by itself is NOT enough, this is why I have the 2 line change to
the eui64 handler in the diff for the +inet6 case. Making that
unconditional is trivial, I just don't think inet6 eui64 is very
intuitive. see, I even think about the inet6 users.
Once that works properly, I say we let the diff in and bikeshed if we
truly need to invent more syntax ('+inet6') that is unlike anything else
vs let the few of us that want this apparently obsecure case add 'inet6
eui64' and be done with it.
Aka, lets not hold up the rest of the functionality just because we
can't agree if we need a further diff to make 'inet6 eui64'
better/faster/easier/another way to skin the cat...
i couldn't agree more
IMHO, its time to polish in the tree. This is, afterall, a _security_
related diff, no?
i'd say so.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
Re: NOINET6 by default
* Claudio Jeker cje...@diehard.n-r-g.com [2014-05-15 09:42]: On Thu, May 15, 2014 at 05:48:16AM +0200, Henning Brauer wrote: * Reyk Flöter reyk.floe...@googlemail.com [2014-05-15 01:04]: On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de wrote: * Mark Kettenis mark.kette...@xs4all.nl [2014-05-15 00:15]: I don't think this is a good idea; didn't we establish the other day that ifconfig if eui64 already did what your +inet6 does? almost, it's ifconfig if inet6 eui64 - but that isn't all THAT intuitive. I like +inet6 as the opposite of -inet6. We don't have + something. It is foo or -foo but not +foo. I know that inet6 is already used for the regular addresses, but +inet6 sounds like an inconsistent workaround for a workaround. I don't like it. just inet6 doesn't work, since that is already used to show all inet6 addrs. i find +inet6 very intuitive... This should just die. Did you ever do ifconfig em0 inet or ifconfig em0 inet6? I never did and I have a few interfaces with a lot of IPs on them. It is a useless gimmick of ifconfig. changing semantics of an existing interface like this is of course much more intrusive than adding a new one. if the concensus is that the current inet/inet6 to show the addreses of that af only is bollocks and we'd rather use inet6 to turn it on, that's simple to do as well. We just need to take a decision here instead of bikeshedding forever... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NOINET6 by default
* Claudio Jeker cje...@diehard.n-r-g.com [2014-05-15 09:33]: On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: so as discussed recently having the inet6 link-local addrs on every interface by default is stupid and a security risk. this diff fixes that. well, really two independent parts. one: set the NOINET6 flag by default on each and every interface. two: implement ifconfig if +inet6 to turn inet6 on and assign the link-local addr. this should be transparent for almost all real use cases of inet6 since assigning any inet6 address also resets the flag (and ll is assigned then as well). lo0 still gets it's ::1 and fe80::1%lo0 by default. the only use case that needs config adoption: people ONLY using link-local, they will need to put +inet6 in the corresponding hostname.if file. ok? To be honest the right fix would be to get rid of IFXF_NOINET6 and just make it the default. There is no need for such a flag anymore. very valid point, I'll happily clean that up right after - one thing at a time. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NOINET6 by default
Penned by Henning Brauer on 20140516 0:26.37, we have: | * Claudio Jeker cje...@diehard.n-r-g.com [2014-05-15 09:33]: | On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: | so as discussed recently having the inet6 link-local addrs on every | interface by default is stupid and a security risk. | | this diff fixes that. well, really two independent parts. | one: set the NOINET6 flag by default on each and every interface. | two: implement ifconfig if +inet6 to turn inet6 on and assign | the link-local addr. | | this should be transparent for almost all real use cases of inet6 | since assigning any inet6 address also resets the flag (and ll is | assigned then as well). | lo0 still gets it's ::1 and fe80::1%lo0 by default. | | the only use case that needs config adoption: people ONLY using | link-local, they will need to put +inet6 in the corresponding | hostname.if file. | | ok? | | To be honest the right fix would be to get rid of IFXF_NOINET6 and | just make it the default. There is no need for such a flag anymore. | | very valid point, I'll happily clean that up right after - one thing | at a time. When I travel between networks.. at home with rtsol capable networks .. and at e.g. a library that does not have native IPv6 .. I find it invaluable to 'zzz' then upon resume 'ifconfig wpi0 -inet6' for the library and then 'rtsol wpi0' at home. Just because the new default will be the equivalent of 'ifconfig wpi0 -inet6' until configured doesn't mean there isn't a use for clearing it later on as well. I wish there were an equivalent for IPv4, but at least dhclient clears the old address on 'ifconfig wpi0 down' ... Thanks, -- Todd T. Fries . http://todd.fries.net/pgp.txt . @unix2mars . github:toddfries
NOINET6 by default
so as discussed recently having the inet6 link-local addrs on every
interface by default is stupid and a security risk.
this diff fixes that. well, really two independent parts.
one: set the NOINET6 flag by default on each and every interface.
two: implement ifconfig if +inet6 to turn inet6 on and assign
the link-local addr.
this should be transparent for almost all real use cases of inet6
since assigning any inet6 address also resets the flag (and ll is
assigned then as well).
lo0 still gets it's ::1 and fe80::1%lo0 by default.
the only use case that needs config adoption: people ONLY using
link-local, they will need to put +inet6 in the corresponding
hostname.if file.
ok?
Index: sys/net/if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.288
diff -u -p -r1.288 if.c
--- sys/net/if.c13 May 2014 14:33:25 - 1.288
+++ sys/net/if.c14 May 2014 21:03:45 -
@@ -429,6 +429,9 @@ if_attach(struct ifnet *ifp)
#else
TAILQ_INSERT_TAIL(ifnet, ifp, if_list);
#endif
+#ifdef INET6
+ ifp-if_xflags |= IFXF_NOINET6;
+#endif
m_clinitifp(ifp);
Index: sbin/ifconfig/ifconfig.8
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v
retrieving revision 1.241
diff -u -p -r1.241 ifconfig.8
--- sbin/ifconfig/ifconfig.822 Apr 2014 10:11:32 - 1.241
+++ sbin/ifconfig/ifconfig.813 May 2014 14:58:58 -
@@ -283,8 +283,12 @@ Disable
on the given interface and remove all configured
.Xr inet6 4
addresses, including the link-local ones.
-To turn it on again, assign any inet6 address or run
+To turn it on again, use +inet6, assign any inet6 address or run
.Xr rtsol 8 .
+.It +inet6
+Enable
+.Xr inet6 4
+and assign a link local address if the interface doesn't have one yet.
.It Cm instance Ar minst
Set the media instance to
.Ar minst .
Index: sbin/ifconfig/ifconfig.c
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.283
diff -u -p -r1.283 ifconfig.c
--- sbin/ifconfig/ifconfig.c12 May 2014 08:47:37 - 1.283
+++ sbin/ifconfig/ifconfig.c13 May 2014 14:56:25 -
@@ -412,6 +412,7 @@ const structcmd {
{ -flowdst, 1,0, unsetpflow_receiver },
{ pflowproto, NEXTARG,0, setpflowproto },
{ -inet6, IFXF_NOINET6, 0, setifxflags } ,
+ { +inet6, 0, 0, setia6eui64 },
{ keepalive, NEXTARG2, 0, NULL, setkeepalive },
{ -keepalive, 1, 0, unsetkeepalive },
{ add,NEXTARG,0, bridge_add },
@@ -1310,7 +1311,9 @@ setia6eui64(const char *cmd, int val)
const struct in6_addr *lladdr = NULL;
struct in6_addr *in6;
- if (afp-af_af != AF_INET6)
+ if (!strcmp(cmd, +inet6))
+ setifxflags(inet6, -IFXF_NOINET6);
+ else if (afp-af_af != AF_INET6)
errx(1, %s not allowed for the AF, cmd);
in6 = (struct in6_addr *)in6_addreq.ifra_addr.sin6_addr;
if (memcmp(in6addr_any.s6_addr[8], in6-s6_addr[8], 8) != 0)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
Re: NOINET6 by default
Hi Henning,
Thanks, I really like this.
On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote:
| the only use case that needs config adoption: people ONLY using
| link-local, they will need to put +inet6 in the corresponding
| hostname.if file.
People that set net.inet6.ip6.accept_rtadv=1 but don't actively do
router solicitation will now no longer get an IPv6 address (a real
one, not just link local) after some time (when there are router
advertisements on the network). This seems blatantly obvious, but
might still warrant an entry in current.html as it's contrary to
previous behavior. Suggested diff included,
Anyway, I've verified that my system now comes up with ::1 and
fe80::1%lo0 on lo0 but other interfaces (software ones like vether(4)
and real ones like re(4) and iwn(4)) don't get an address after just
bringing the interface up. Using +inet6 works and gets me a
link-local address (and, when I do this on a network with router
advertisements, I get an address and an autoconfprivacy address after
some time). And of course, configuring IPv6 works as usual.
| ok?
This makes a whole lot of sense to me. Please make OpenBSD the first
OS to do (this part of) v6 in a sensible way.
Paul 'WEiRD' de Weerd
Index: current.html
===
RCS file: /cvs/www/faq/current.html,v
retrieving revision 1.508
diff -u -p -r1.508 current.html
--- current.html7 May 2014 13:38:43 - 1.508
+++ current.html14 May 2014 22:01:30 -
@@ -52,6 +52,7 @@
lia href=#201404212014/04/21 - lpd(8): hosts.equiv removed/a
lia href=#201404222014/04/22 - kerberosV removed/a
lia href=#201405032014/05/03 - bcrypt hash advanced to $2b$ mode/a
+lia href=#201405162014/05/16 - IPv6 defaults to off when not
configured/a
/ul
hr
@@ -490,6 +491,14 @@ manually or use the kerberos packages wh
The bcrypt(3) hash has been advanced to the new $2b$ mode. Newly
created hashes will follow this form. Older systems may not
understand this format.
+
+a name=20140516/a
+h32014/05/16 - IPv6 defaults to off when not configured/h3
+
+Interfaces no longer get a link-local address configured by default
+when no other IPv6 configuration is present. If you want the old
+behaviour restored for sepcific interfaces, add +inet6 to the
+hostname.if(5) file or on the ifconfig(8) command line.
hr
br
| Index: sys/net/if.c
| ===
| RCS file: /cvs/src/sys/net/if.c,v
| retrieving revision 1.288
| diff -u -p -r1.288 if.c
| --- sys/net/if.c 13 May 2014 14:33:25 - 1.288
| +++ sys/net/if.c 14 May 2014 21:03:45 -
| @@ -429,6 +429,9 @@ if_attach(struct ifnet *ifp)
| #else
| TAILQ_INSERT_TAIL(ifnet, ifp, if_list);
| #endif
| +#ifdef INET6
| + ifp-if_xflags |= IFXF_NOINET6;
| +#endif
|
| m_clinitifp(ifp);
|
| Index: sbin/ifconfig/ifconfig.8
| ===
| RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v
| retrieving revision 1.241
| diff -u -p -r1.241 ifconfig.8
| --- sbin/ifconfig/ifconfig.8 22 Apr 2014 10:11:32 - 1.241
| +++ sbin/ifconfig/ifconfig.8 13 May 2014 14:58:58 -
| @@ -283,8 +283,12 @@ Disable
| on the given interface and remove all configured
| .Xr inet6 4
| addresses, including the link-local ones.
| -To turn it on again, assign any inet6 address or run
| +To turn it on again, use +inet6, assign any inet6 address or run
| .Xr rtsol 8 .
| +.It +inet6
| +Enable
| +.Xr inet6 4
| +and assign a link local address if the interface doesn't have one yet.
| .It Cm instance Ar minst
| Set the media instance to
| .Ar minst .
| Index: sbin/ifconfig/ifconfig.c
| ===
| RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
| retrieving revision 1.283
| diff -u -p -r1.283 ifconfig.c
| --- sbin/ifconfig/ifconfig.c 12 May 2014 08:47:37 - 1.283
| +++ sbin/ifconfig/ifconfig.c 13 May 2014 14:56:25 -
| @@ -412,6 +412,7 @@ const struct cmd {
| { -flowdst, 1,0, unsetpflow_receiver },
| { pflowproto, NEXTARG,0, setpflowproto },
| { -inet6, IFXF_NOINET6, 0, setifxflags } ,
| + { +inet6, 0, 0, setia6eui64 },
| { keepalive, NEXTARG2, 0, NULL, setkeepalive },
| { -keepalive, 1, 0, unsetkeepalive },
| { add,NEXTARG,0, bridge_add },
| @@ -1310,7 +1311,9 @@ setia6eui64(const char *cmd, int val)
| const struct in6_addr *lladdr = NULL;
| struct in6_addr *in6;
|
| - if (afp-af_af != AF_INET6)
| + if (!strcmp(cmd, +inet6))
| + setifxflags(inet6, -IFXF_NOINET6);
| + else if (afp-af_af != AF_INET6)
| errx(1, %s not allowed for the AF, cmd);
| in6 = (struct in6_addr
Re: NOINET6 by default
On 2014/05/15 00:02, Paul de Weerd wrote: Hi Henning, Thanks, I really like this. On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: | the only use case that needs config adoption: people ONLY using | link-local, they will need to put +inet6 in the corresponding | hostname.if file. People that set net.inet6.ip6.accept_rtadv=1 but don't actively do router solicitation will now no longer get an IPv6 address (a real one, not just link local) after some time (when there are router advertisements on the network). This seems blatantly obvious, but might still warrant an entry in current.html as it's contrary to previous behavior. Suggested diff included, Anyway, I've verified that my system now comes up with ::1 and fe80::1%lo0 on lo0 but other interfaces (software ones like vether(4) and real ones like re(4) and iwn(4)) don't get an address after just bringing the interface up. Using +inet6 works and gets me a link-local address (and, when I do this on a network with router advertisements, I get an address and an autoconfprivacy address after some time). And of course, configuring IPv6 works as usual. | ok? This makes a whole lot of sense to me. Please make OpenBSD the first OS to do (this part of) v6 in a sensible way. Paul 'WEiRD' de Weerd Index: current.html === RCS file: /cvs/www/faq/current.html,v retrieving revision 1.508 diff -u -p -r1.508 current.html --- current.html 7 May 2014 13:38:43 - 1.508 +++ current.html 14 May 2014 22:01:30 - @@ -52,6 +52,7 @@ lia href=#201404212014/04/21 - lpd(8): hosts.equiv removed/a lia href=#201404222014/04/22 - kerberosV removed/a lia href=#201405032014/05/03 - bcrypt hash advanced to $2b$ mode/a +lia href=#201405162014/05/16 - IPv6 defaults to off when not configured/a /ul hr @@ -490,6 +491,14 @@ manually or use the kerberos packages wh The bcrypt(3) hash has been advanced to the new $2b$ mode. Newly created hashes will follow this form. Older systems may not understand this format. + +a name=20140516/a +h32014/05/16 - IPv6 defaults to off when not configured/h3 + +Interfaces no longer get a link-local address configured by default +when no other IPv6 configuration is present. If you want the old Maybe s/when no other/unless explicit/ ? +behaviour restored for sepcific interfaces, add +inet6 to the +hostname.if(5) file or on the ifconfig(8) command line. Cue a bunch of people needlessly adding +inet6 to hostname.if files when they already have configuration, but I don't think there's anything we can do about that and it doesn't matter anyway. ;)
Re: NOINET6 by default
Date: Wed, 14 May 2014 23:29:20 +0200 From: Henning Brauer lists-openbsdt...@bsws.de this diff fixes that. well, really two independent parts. one: set the NOINET6 flag by default on each and every interface. ok on that bit two: implement ifconfig if +inet6 to turn inet6 on and assign the link-local addr. I don't think this is a good idea; didn't we establish the other day that ifconfig if eui64 already did what your +inet6 does?
Re: NOINET6 by default
On Thu, May 15, 2014 at 00:14, Alexander Bluhm wrote: On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: so as discussed recently having the inet6 link-local addrs on every interface by default is stupid and a security risk. Connecting a computer to the internet is a security risk. IPv4 is on by default, and so IPv6 should be on by default. I want both to be handled the same way. Huh? Running 'ifconfig em0 up' does not assign an IPv4 address.
Re: NOINET6 by default
On 14 May 2014 18:14, Alexander Bluhm alexander.bl...@gmx.net wrote: On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: so as discussed recently having the inet6 link-local addrs on every interface by default is stupid and a security risk. Connecting a computer to the internet is a security risk. IPv4 is on by default, and so IPv6 should be on by default. I want both to be handled the same way. And that, to me, is what this does, sans the +inet6 bit on which I agree with Mark. i.e. 'ifconfig if up' does not magically make IPv6 work while not making IPv4 work. the only use case that needs config adoption: people ONLY using link-local, they will need to put +inet6 in the corresponding hostname.if file. I don't think this is needed. The eui64 thing seemed more obvious to me. Hmm. '-eui64' to remove it once it was added? There is a use case for running IPv6 over an interface without setting an address. Configure a global IPv6 address on lo0, run ospf6d on any physical interface and it will provide connection. IPv6 autoconfiguration with link-local addresses is useful. So instead of everyone putting -inet6 in their hostname.if files, possibly even having to create hostname.if files to prevent interfaces from magically being portals into your system, now the people who know they want/need IPv6 have to put 'eui64' lines in the interfaces they want to be addressable. Again, this seems more consistant with IPv4 usage than today's setup. So I vote ok. Ken ok? No bluhm
Re: NOINET6 by default
* Mark Kettenis mark.kette...@xs4all.nl [2014-05-15 00:15]: I don't think this is a good idea; didn't we establish the other day that ifconfig if eui64 already did what your +inet6 does? almost, it's ifconfig if inet6 eui64 - but that isn't all THAT intuitive. I like +inet6 as the opposite of -inet6. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NOINET6 by default
On 2014/05/15 00:13, Mark Kettenis wrote: Date: Wed, 14 May 2014 23:29:20 +0200 From: Henning Brauer lists-openbsdt...@bsws.de this diff fixes that. well, really two independent parts. one: set the NOINET6 flag by default on each and every interface. ok on that bit two: implement ifconfig if +inet6 to turn inet6 on and assign the link-local addr. I don't think this is a good idea; didn't we establish the other day that ifconfig if eui64 already did what your +inet6 does? Actually it's ifconfig if inet6 eui64, so in hostname.if with the current parser it would probably be something like up inet6 eui64 or !ifconfig $if inet6 eui64 instead .. Using +inet6 gets around that problem and seems to me like a better counterpart to the existing -inet6. (If we were to make this work more nicely in netstart which is a bad place for any required changes; it's in etc*.tgz which is usually not updated until after the kernel/binaries).
Re: NOINET6 by default
* Alexander Bluhm alexander.bl...@gmx.net [2014-05-15 00:15]: On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: so as discussed recently having the inet6 link-local addrs on every interface by default is stupid and a security risk. Connecting a computer to the internet is a security risk. IPv4 is on by default, and so IPv6 should be on by default. I want both to be handled the same way. WITH my diff they finally become the same, IPv4 does NOT assign some special address to the interface by default. The analogy really breaks here since v4 just doesn't have link local. the only use case that needs config adoption: people ONLY using link-local, they will need to put +inet6 in the corresponding hostname.if file. There is a use case for running IPv6 over an interface without setting an address. Configure a global IPv6 address on lo0, run ospf6d on any physical interface and it will provide connection. IPv6 autoconfiguration with link-local addresses is useful. so you put +inet6 in the corresponding hostname.if file and everything works like you want it to. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NOINET6 by default
On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de wrote: * Mark Kettenis mark.kette...@xs4all.nl [2014-05-15 00:15]: I don't think this is a good idea; didn't we establish the other day that ifconfig if eui64 already did what your +inet6 does? almost, it's ifconfig if inet6 eui64 - but that isn't all THAT intuitive. I like +inet6 as the opposite of -inet6. We don't have + something. It is foo or -foo but not +foo. I know that inet6 is already used for the regular addresses, but +inet6 sounds like an inconsistent workaround for a workaround. I don't like it. To enable IPv6 link-local I would rather prefer two options to put either inet6 eui64 (or an alias like inet6 link-local) or an actual inet6 address in your hostname.if. The latter should automatically remove the flag and enable the link-local address - does it work this way? Reyk
Re: NOINET6 by default
On 05/15/14 00:48, Henning Brauer wrote: * Alexander Bluhm alexander.bl...@gmx.net [2014-05-15 00:15]: On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: so as discussed recently having the inet6 link-local addrs on every interface by default is stupid and a security risk. Connecting a computer to the internet is a security risk. IPv4 is on by default, and so IPv6 should be on by default. I want both to be handled the same way. WITH my diff they finally become the same, IPv4 does NOT assign some special address to the interface by default. The analogy really breaks here since v4 just doesn't have link local. the only use case that needs config adoption: people ONLY using link-local, they will need to put +inet6 in the corresponding hostname.if file. There is a use case for running IPv6 over an interface without setting an address. Configure a global IPv6 address on lo0, run ospf6d on any physical interface and it will provide connection. IPv6 autoconfiguration with link-local addresses is useful. so you put +inet6 in the corresponding hostname.if file and everything works like you want it to. While my powers in this field are limited, I would really hate to see another operator type (e.g. +foo +bar) being introduced in ifconfig. It's cludgy enough already IMO. If we need +inet6, it's a pointer that inet6 is already busy and we should look something else. eui64 sounds better so me. /Alexander
Re: NOINET6 by default
On 2014/05/14 23:47, Stuart Henderson wrote: On 2014/05/15 00:13, Mark Kettenis wrote: Date: Wed, 14 May 2014 23:29:20 +0200 From: Henning Brauer lists-openbsdt...@bsws.de this diff fixes that. well, really two independent parts. one: set the NOINET6 flag by default on each and every interface. ok on that bit two: implement ifconfig if +inet6 to turn inet6 on and assign the link-local addr. I don't think this is a good idea; didn't we establish the other day that ifconfig if eui64 already did what your +inet6 does? Actually it's ifconfig if inet6 eui64, so in hostname.if with the current parser it would probably be something like up inet6 eui64 or !ifconfig $if inet6 eui64 instead .. oh, actually reading netstart it seems we're ok with inet6 eui64 in hostname.if, providing there is nothing else on the line.. still the handling of inet / inet6 lines in this file is an area of confusion and unexpected behaviour that I would quite like to avoid adding to if possible.. Using +inet6 gets around that problem and seems to me like a better counterpart to the existing -inet6. (If we were to make this work more nicely in netstart which is a bad place for any required changes; it's in etc*.tgz which is usually not updated until after the kernel/binaries).
Re: NOINET6 by default
* Reyk Flöter reyk.floe...@googlemail.com [2014-05-15 01:04]: On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de wrote: * Mark Kettenis mark.kette...@xs4all.nl [2014-05-15 00:15]: I don't think this is a good idea; didn't we establish the other day that ifconfig if eui64 already did what your +inet6 does? almost, it's ifconfig if inet6 eui64 - but that isn't all THAT intuitive. I like +inet6 as the opposite of -inet6. We don't have + something. It is foo or -foo but not +foo. I know that inet6 is already used for the regular addresses, but +inet6 sounds like an inconsistent workaround for a workaround. I don't like it. just inet6 doesn't work, since that is already used to show all inet6 addrs. i find +inet6 very intuitive... To enable IPv6 link-local I would rather prefer two options to put either inet6 eui64 (or an alias like inet6 link-local) or an actual inet6 address in your hostname.if. The latter should automatically remove the flag and enable the link-local address - does it work this way? as said many times, yes it does. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: NOINET6 by default
Penned by Henning Brauer on 20140514 22:48.16, we have:
| * Reyk Flöter reyk.floe...@googlemail.com [2014-05-15 01:04]:
| On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de wrote:
| * Mark Kettenis mark.kette...@xs4all.nl [2014-05-15 00:15]:
| I don't think this is a good idea; didn't we establish the other day
| that ifconfig if eui64 already did what your +inet6 does?
| almost, it's ifconfig if inet6 eui64 - but that isn't all THAT
| intuitive. I like +inet6 as the opposite of -inet6.
| We don't have + something. It is foo or -foo but not +foo. I know that
inet6 is already used for the regular addresses, but +inet6 sounds like an
inconsistent workaround for a workaround. I don't like it.
|
| just inet6 doesn't work, since that is already used to show all inet6
| addrs.
| i find +inet6 very intuitive...
|
| To enable IPv6 link-local I would rather prefer two options to put
| either inet6 eui64 (or an alias like inet6 link-local) or an actual
| inet6 address in your hostname.if. The latter should automatically
| remove the flag and enable the link-local address - does it work this
| way?
|
| as said many times, yes it does.
I ack that it is a security risk to auto address interfaces without some admin
action.
The proposed solution seems sound, 'inet6 eui64' seems sane. In theory it
should work, but I must be doing something wrong:
# ifconfig vether0 create
# ifconfig vether0 -inet6
# ifconfig vether0 inet6 eui64
ifconfig: could not determine link local address
Once that works properly, I say we let the diff in and bikeshed if we
truly need to invent more syntax ('+inet6') that is unlike anything else
vs let the few of us that want this apparently obsecure case add 'inet6
eui64' and be done with it.
Aka, lets not hold up the rest of the functionality just because we
can't agree if we need a further diff to make 'inet6 eui64'
better/faster/easier/another way to skin the cat...
IMHO, its time to polish in the tree. This is, afterall, a _security_
related diff, no?
Thanks,
--
Todd T. Fries . http://todd.fries.net/pgp.txt . @unix2mars . github:toddfries
Re: NOINET6 by default
Paul de Weerd we...@weirdnet.nl writes: [...] This makes a whole lot of sense to me. Please make OpenBSD the first OS to do (this part of) v6 in a sensible way. Actually that makes me laugh. Sensible, weeeh. Let's protect our users from the dangers of IPv6 link-local addresses! Wait, what users are we talking about? We have no users, right, we have developers that break stuff, and other developers that clean up the feces. Between +inet6 and eui64 all we have are non-idiomatic or broken alternatives. Link-local addresses have been exposed since almost 15 years now, it's a good time to decide that they are persona non grata in OpenBSD land. After all, the v6 stack has had all the testing it could get, now that we know that it works well, we don't need testing anymore. What could be sensible, though, is accepting the fact that IPv6 exists, and the fact that link-local addresses are part of it, whether you have global connectivity or not. Now call me a v6 zealot, I probably live and work in an imaginary world. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
