From owner-freebsd-net@FreeBSD.ORG Fri Jun 26 16:35:40 2009 Return-Path: Delivered-To: net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29147106564A; Fri, 26 Jun 2009 16:35:40 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id ED5128FC12; Fri, 26 Jun 2009 16:35:39 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 54365381CB9; Fri, 26 Jun 2009 12:17:33 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Fri, 26 Jun 2009 12:17:33 -0400 X-Sasl-enc: 0wVeZLW8ivsBr4OX7vZu2ih5dSG6l5VHUXLQ1ZACHIbg 1246033053 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTPSA id 6676D3CE7C; Fri, 26 Jun 2009 12:17:32 -0400 (EDT) Message-ID: <4A44F49B.7020403@FreeBSD.org> Date: Fri, 26 Jun 2009 17:17:31 +0100 From: Bruce Simpson User-Agent: Thunderbird 2.0.0.21 (X11/20090412) MIME-Version: 1.0 To: Hiroki Sato References: <20090626.170006.244306978.hrs@allbsd.org> In-Reply-To: <20090626.170006.244306978.hrs@allbsd.org> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: jinmei@isc.org, bz@FreeBSD.org, rwatson@FreeBSD.org, ume@FreeBSD.org, net@FreeBSD.org Subject: Re: RFC: convert net.inet6.ip6.{accept_rtadv, auto_linklocal} to per-interface flags X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jun 2009 16:35:40 -0000 Hiroki Sato wrote: > The ip6.autolinklocal had been enabled but disabled since 6.2R by > default because automatic configuration of L3 address is insecure. > However, it makes IPv6 configuration complex because of no link-local > address on an interface. Malformed address configuration can be > happened easily on a system with $ipv6_enable="NO". for example. In > addition, the rc.conf knob does not mean the IPv6 functionality is > completely disabled. Using an interface for IPv4-only is difficult. > The MLDv2 code will use the link-local address by default if available, otherwise if the link is in DAD it will use ::. In fact, link-local addresses are needed to make stuff like OSPFv3 and MLDv2 work properly. So we are in fact shooting ourselves in the foot over people's paranoia. Link-scope addresses starting 'fe80' don't belong in traffic beyond one L2 hop. We already have a check for 169.254.0.0/16 in ip_forward(), ip6_forward() performs a scope check. If people have legitimate security concerns about these address ranges, the place to implement that is at the perimeter, or in other forwarding policy, not by breaking IPv6 deployment for end-users. > So, I want to add the following changes: > > 1. Use per-interface ND6 flag "ifdisabled" as a flag for if it is > IPv6-enabled or not. Set it by default. > > 2. Automatic link-local address configuration is performed when the > ifdisabled flag is clear, not at attach time of the interface. > This is implemented as a per-interface flag "auto_linklocal". > This seems perfectly reasonable -- in fact -- it's closer to how other platforms do it. > 3. Accepting Router Advertisement message is also controlled by > per-interface flag "accept_rtadv". > Again, RTADV is something which most people who use IPv6 on an endpoint in a stub network are going to use, so it's reasonable to have it controllable on a per-interface basis. > The patch for the latest current is attached. Thanks. > Patch looks fine, but I'd fix the style(9) bugs before committing; && operators, etc should be before the line break, and initializers in variable declarations are generally discouraged. Also there should be whitespace between code and variable declarations. thanks, BMS