diff options
| author | Florian Obser <florian@cvs.openbsd.org> | 2019-08-21 15:32:19 +0000 |
|---|---|---|
| committer | Florian Obser <florian@cvs.openbsd.org> | 2019-08-21 15:32:19 +0000 |
| commit | 4f74f46798e48f16726d9230265d67293e730884 (patch) | |
| tree | f19c406f7482fd420f854dbe3d629ea932105a6f | |
| parent | 6d4e88aea540b4a0a08d29e59e8e14ba092b9201 (diff) | |
Remove support for semantically opace interface identifiers (RFC 7217)
for IPv6 link local addresses.
Some hosting and VM providers route customer IPv6 prefixes to link
local addresses derived from ethernet MAC addresses (RFC 2464). This
leads to hard to debug IPv6 connectivity problems and is probably not
worth the effort.
RFC 7721 lists 4 weaknesses:
3.1. Correlation of Activities over Time & 3.2. Location Tracking
These are still possible with RFC 7217 addresses for an adversary
connected to the same layer 2 network (think conference wifi). Since
the link local prefix stays the same (fe80::/64) the link local
addresses do not change between different networks.
An adversary on the same layer 2 network can probably track ethernet
MAC addresses via different means, too.
3.3. Address Scanning & 3.4. Device-Specific Vulnerability Exploitation
These now become possible, however, as noted above a layer 2 adversary
was probably able to do this via different means.
People concerned with these weaknesses are advised to use
ifconfig lladdr random.
OK benno
input & OK kn
| -rw-r--r-- | lib/libc/sys/sysctl.2 | 6 | ||||
| -rw-r--r-- | sbin/ifconfig/ifconfig.8 | 8 | ||||
| -rw-r--r-- | sys/net/if.c | 10 | ||||
| -rw-r--r-- | sys/netinet6/in6_ifattach.c | 85 | ||||
| -rw-r--r-- | sys/netinet6/in6_ifattach.h | 3 | ||||
| -rw-r--r-- | sys/netinet6/ip6_input.c | 13 |
6 files changed, 14 insertions, 111 deletions
diff --git a/lib/libc/sys/sysctl.2 b/lib/libc/sys/sysctl.2 index e12b8a3334a..28b96858f45 100644 --- a/lib/libc/sys/sysctl.2 +++ b/lib/libc/sys/sysctl.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sysctl.2,v 1.29 2019/08/11 16:04:23 denis Exp $ +.\" $OpenBSD: sysctl.2,v 1.30 2019/08/21 15:32:18 florian Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: August 11 2019 $ +.Dd $Mdocdate: August 21 2019 $ .Dt SYSCTL 2 .Os .Sh NAME @@ -1942,7 +1942,7 @@ and should normally be enabled on all systems. .It Li ip6.soii Pq Va net.inet6.ip6.soiikey This variable configures the secret key for the RFC 7217 algorithm to calculate a persistent Semantically Opaque Interface Identifier (SOII) -for IPv6 link local and Stateless Address Autoconfiguration (SLAAC) addresses. +for IPv6 Stateless Address Autoconfiguration (SLAAC) addresses. .Pp .It Li ip6.use_deprecated Pq Va net.inet6.ip6.use_deprecated This variable controls the use of deprecated addresses, specified in diff --git a/sbin/ifconfig/ifconfig.8 b/sbin/ifconfig/ifconfig.8 index 89f6844e0ff..06ffb0007ea 100644 --- a/sbin/ifconfig/ifconfig.8 +++ b/sbin/ifconfig/ifconfig.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ifconfig.8,v 1.340 2019/08/03 22:51:25 krw Exp $ +.\" $OpenBSD: ifconfig.8,v 1.341 2019/08/21 15:32:18 florian Exp $ .\" $NetBSD: ifconfig.8,v 1.11 1996/01/04 21:27:29 pk Exp $ .\" $FreeBSD: ifconfig.8,v 1.16 1998/02/01 07:03:29 steve Exp $ .\" @@ -31,7 +31,7 @@ .\" .\" @(#)ifconfig.8 8.4 (Berkeley) 6/1/94 .\" -.Dd $Mdocdate: August 3 2019 $ +.Dd $Mdocdate: August 21 2019 $ .Dt IFCONFIG 8 .Os .Sh NAME @@ -1279,14 +1279,14 @@ automatically. Set preferred lifetime for the address, in seconds. .It Cm soii Enable persistent Semantically Opaque Interface Identifiers (SOIIs), -as per RFC 7217, for link local and SLAAC addresses on the interface. +as per RFC 7217, for SLAAC addresses on the interface. The purpose of these identifiers is to make discovery of hosts by scanning a whole prefix more difficult. SOIIs use the whole 64 bits of the host part while SLAAC addresses are formed from MAC addresses which can lower the entropy to 24 bits if the host is running in a virtualization environment or the hardware manufacturer is known. -See RFC 8064 for details. +See RFC 7721 and RFC 8064 for details. SOIIs are enabled by default. .It Cm -soii Disable IPv6 persistent Semantically Opaque Interface Identifiers on the diff --git a/sys/net/if.c b/sys/net/if.c index 053fef352ff..17397b68831 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if.c,v 1.587 2019/08/06 22:57:54 bluhm Exp $ */ +/* $OpenBSD: if.c,v 1.588 2019/08/21 15:32:18 florian Exp $ */ /* $NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $ */ /* @@ -1972,16 +1972,12 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct proc *p) } if (ISSET(ifr->ifr_flags, IFXF_INET6_NOSOII) && - !ISSET(ifp->if_xflags, IFXF_INET6_NOSOII)) { + !ISSET(ifp->if_xflags, IFXF_INET6_NOSOII)) ifp->if_xflags |= IFXF_INET6_NOSOII; - in6_soiiupdate(ifp); - } if (!ISSET(ifr->ifr_flags, IFXF_INET6_NOSOII) && - ISSET(ifp->if_xflags, IFXF_INET6_NOSOII)) { + ISSET(ifp->if_xflags, IFXF_INET6_NOSOII)) ifp->if_xflags &= ~IFXF_INET6_NOSOII; - in6_soiiupdate(ifp); - } #endif /* INET6 */ diff --git a/sys/netinet6/in6_ifattach.c b/sys/netinet6/in6_ifattach.c index 884406957cf..87aac0e1378 100644 --- a/sys/netinet6/in6_ifattach.c +++ b/sys/netinet6/in6_ifattach.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in6_ifattach.c,v 1.113 2019/02/13 23:47:43 dlg Exp $ */ +/* $OpenBSD: in6_ifattach.c,v 1.114 2019/08/21 15:32:18 florian Exp $ */ /* $KAME: in6_ifattach.c,v 1.124 2001/07/18 08:32:51 jinmei Exp $ */ /* @@ -58,7 +58,6 @@ void in6_get_rand_ifid(struct ifnet *, struct in6_addr *); int in6_get_hw_ifid(struct ifnet *, struct in6_addr *); -int in6_get_soii_ifid(struct ifnet *, struct in6_addr *); void in6_get_ifid(struct ifnet *, struct in6_addr *); int in6_ifattach_loopback(struct ifnet *); @@ -73,24 +72,6 @@ int in6_ifattach_loopback(struct ifnet *); #define IFID_LOCAL(in6) (!EUI64_LOCAL(in6)) #define IFID_UNIVERSAL(in6) (!EUI64_UNIVERSAL(in6)) -void -in6_soiiupdate(struct ifnet *ifp) -{ - struct ifaddr *ifa; - - NET_ASSERT_LOCKED(); - - /* - * Update the link-local address. - */ - ifa = &in6ifa_ifpforlinklocal(ifp, 0)->ia_ifa; - if (ifa) { - in6_purgeaddr(ifa); - dohooks(ifp->if_addrhooks, 0); - in6_ifattach(ifp); - } -} - /* * Generate a random interface identifier. * @@ -211,61 +192,6 @@ in6_get_hw_ifid(struct ifnet *ifp, struct in6_addr *in6) } /* - * Generate a Semantically Opaque Interface Identifier according to RFC 7217 - * - * in6 - upper 64bits are preserved - */ -int -in6_get_soii_ifid(struct ifnet *ifp0, struct in6_addr *in6) -{ - struct ifnet *ifp; - SHA2_CTX ctx; - u_int8_t digest[SHA512_DIGEST_LENGTH]; - struct in6_addr prefix; - struct sockaddr_dl *sdl; - int dad_counter = 0; /* XXX not used */ - char *addr; - - if (ifp0->if_xflags & IFXF_INET6_NOSOII) - return -1; - - sdl = ifp0->if_sadl; - - if (sdl == NULL || sdl->sdl_alen == 0) { - /* - * try to get it from some other hardware interface like - * in in6_get_ifid() - */ - TAILQ_FOREACH(ifp, &ifnet, if_list) { - if (ifp == ifp0) - continue; - sdl = ifp->if_sadl; - if (sdl != NULL && sdl->sdl_alen != 0) - break; - } - } - - if (sdl == NULL || sdl->sdl_alen == 0) - return -1; - - memset(&prefix, 0, sizeof(prefix)); - prefix.s6_addr16[0] = htons(0xfe80); - addr = LLADDR(sdl); - - SHA512Init(&ctx); - - SHA512Update(&ctx, &prefix, sizeof(prefix)); - SHA512Update(&ctx, addr, sdl->sdl_alen); - SHA512Update(&ctx, &dad_counter, sizeof(dad_counter)); - SHA512Update(&ctx, ip6_soiikey, sizeof(ip6_soiikey)); - SHA512Final(digest, &ctx); - - memcpy(&in6->s6_addr[8], digest + (sizeof(digest) - 8), 8); - - return 0; -} - -/* * Get interface identifier for the specified interface. If it is not * available on ifp0, borrow interface identifier from other information * sources. @@ -275,14 +201,7 @@ in6_get_ifid(struct ifnet *ifp0, struct in6_addr *in6) { struct ifnet *ifp; - /* first, try to generate a Semantically Opaque Interface Identifier */ - if (in6_get_soii_ifid(ifp0, in6) == 0) { - nd6log((LOG_DEBUG, "%s: got Semantically Opaque Interface " - "Identifier\n", ifp0->if_xname)); - goto success; - } - - /* next, try to get it from the interface itself */ + /* first, try to get it from the interface itself */ if (in6_get_hw_ifid(ifp0, in6) == 0) { nd6log((LOG_DEBUG, "%s: got interface identifier from itself\n", ifp0->if_xname)); diff --git a/sys/netinet6/in6_ifattach.h b/sys/netinet6/in6_ifattach.h index 244451ad12c..7c4adbe9d4c 100644 --- a/sys/netinet6/in6_ifattach.h +++ b/sys/netinet6/in6_ifattach.h @@ -1,4 +1,4 @@ -/* $OpenBSD: in6_ifattach.h,v 1.9 2018/10/05 07:06:09 florian Exp $ */ +/* $OpenBSD: in6_ifattach.h,v 1.10 2019/08/21 15:32:18 florian Exp $ */ /* $KAME: in6_ifattach.h,v 1.9 2000/04/12 05:35:48 itojun Exp $ */ /* @@ -37,7 +37,6 @@ int in6_ifattach(struct ifnet *); void in6_ifdetach(struct ifnet *); int in6_ifattach_linklocal(struct ifnet *, struct in6_addr *); -void in6_soiiupdate(struct ifnet *); #endif /* _KERNEL */ #endif /* _NETINET6_IN6_IFATTACH_H_ */ diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index d57c71ab719..ef84483a267 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.218 2019/08/06 22:57:55 bluhm Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.219 2019/08/21 15:32:18 florian Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -1332,7 +1332,6 @@ ip6_sysctl_ip6stat(void *oldp, size_t *oldlenp, void *newp) int ip6_sysctl_soiikey(void *oldp, size_t *oldlenp, void *newp, size_t newlen) { - struct ifnet *ifp; uint8_t oldkey[IP6_SOIIKEY_LEN]; int error; @@ -1345,16 +1344,6 @@ ip6_sysctl_soiikey(void *oldp, size_t *oldlenp, void *newp, size_t newlen) error = sysctl_struct(oldp, oldlenp, newp, newlen, ip6_soiikey, sizeof(ip6_soiikey)); - if (!error && memcmp(ip6_soiikey, oldkey, sizeof(oldkey)) != 0) { - TAILQ_FOREACH(ifp, &ifnet, if_list) { - if (ifp->if_flags & IFF_LOOPBACK) - continue; - NET_LOCK(); - in6_soiiupdate(ifp); - NET_UNLOCK(); - } - } - return (error); } |