diff options
| author | Florian Obser <florian@cvs.openbsd.org> | 2019-08-21 15:32:19 +0000 |
|---|---|---|
| committer | Florian Obser <florian@cvs.openbsd.org> | 2019-08-21 15:32:19 +0000 |
| commit | 4f74f46798e48f16726d9230265d67293e730884 (patch) | |
| tree | f19c406f7482fd420f854dbe3d629ea932105a6f /lib | |
| parent | 6d4e88aea540b4a0a08d29e59e8e14ba092b9201 (diff) | |
Remove support for semantically opace interface identifiers (RFC 7217)
for IPv6 link local addresses.
Some hosting and VM providers route customer IPv6 prefixes to link
local addresses derived from ethernet MAC addresses (RFC 2464). This
leads to hard to debug IPv6 connectivity problems and is probably not
worth the effort.
RFC 7721 lists 4 weaknesses:
3.1. Correlation of Activities over Time & 3.2. Location Tracking
These are still possible with RFC 7217 addresses for an adversary
connected to the same layer 2 network (think conference wifi). Since
the link local prefix stays the same (fe80::/64) the link local
addresses do not change between different networks.
An adversary on the same layer 2 network can probably track ethernet
MAC addresses via different means, too.
3.3. Address Scanning & 3.4. Device-Specific Vulnerability Exploitation
These now become possible, however, as noted above a layer 2 adversary
was probably able to do this via different means.
People concerned with these weaknesses are advised to use
ifconfig lladdr random.
OK benno
input & OK kn
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libc/sys/sysctl.2 | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/libc/sys/sysctl.2 b/lib/libc/sys/sysctl.2 index e12b8a3334a..28b96858f45 100644 --- a/lib/libc/sys/sysctl.2 +++ b/lib/libc/sys/sysctl.2 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sysctl.2,v 1.29 2019/08/11 16:04:23 denis Exp $ +.\" $OpenBSD: sysctl.2,v 1.30 2019/08/21 15:32:18 florian Exp $ .\" .\" Copyright (c) 1993 .\" The Regents of the University of California. All rights reserved. @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: August 11 2019 $ +.Dd $Mdocdate: August 21 2019 $ .Dt SYSCTL 2 .Os .Sh NAME @@ -1942,7 +1942,7 @@ and should normally be enabled on all systems. .It Li ip6.soii Pq Va net.inet6.ip6.soiikey This variable configures the secret key for the RFC 7217 algorithm to calculate a persistent Semantically Opaque Interface Identifier (SOII) -for IPv6 link local and Stateless Address Autoconfiguration (SLAAC) addresses. +for IPv6 Stateless Address Autoconfiguration (SLAAC) addresses. .Pp .It Li ip6.use_deprecated Pq Va net.inet6.ip6.use_deprecated This variable controls the use of deprecated addresses, specified in |