Skip to content

network: make prefixstable mode of IPv6Token= can be applied any received prefixes#16618

Merged
keszybz merged 2 commits intosystemd:masterfrom
yuwata:network-ipv6token-prefixstable
Sep 8, 2020
Merged

network: make prefixstable mode of IPv6Token= can be applied any received prefixes#16618
keszybz merged 2 commits intosystemd:masterfrom
yuwata:network-ipv6token-prefixstable

Conversation

@yuwata
Copy link
Member

@yuwata yuwata commented Jul 30, 2020

Closes #4625.

cc @ssahani and @kpfleming.

@yuwata yuwata added the network label Jul 30, 2020
slyon added a commit to canonical/netplan that referenced this pull request Aug 28, 2020
…-mode

This is being implemented for any prefix in systemd PR#16618:
systemd/systemd#16618
@SoapGentoo
Copy link
Contributor

@yuwata any chance of getting this merged?

slyon added a commit to canonical/netplan that referenced this pull request Aug 31, 2020
This allows to statically configure the IPv6 host ID (low 64 bits) when auto-generated IPv6 addressing is used (i.e. DHCPv6 stateless, SLAAC).

It introduces one new YAML key in the schema: ipv6-address-token-id.

Fixes LP: #1737976

Commits:
* Implement ipv6-address-token-id key (LP: #1737976)
* Add integration tests for ipv6-address-token-id
* networkd: update comment about stable-privacy ipv6-address-generation-mode
This is being implemented for any prefix in systemd PR#16618:
systemd/systemd#16618
* rename ipv6-address-token from ipv6-address-token-id
* avoid unrelated whitespace changes

Co-authored-by: Łukasz Zemczak <[email protected]>
@yuwata yuwata force-pushed the network-ipv6token-prefixstable branch from 8eb101d to 4430c0d Compare September 4, 2020 00:23
@yuwata yuwata force-pushed the network-ipv6token-prefixstable branch from 4430c0d to 30040c8 Compare September 7, 2020 16:56
Copy link
Member

@keszybz keszybz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks nice, some minor comments.

with a colon (<literal>:</literal>). If an IPv6 address is specified, then an interface
identifier is generated only when a prefix received in an RA message matches the supplied
address.</para>
<para>If no address generation mode is specified (which is the default), or a receivd
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"received"

mode, then the EUI-64 algorithm will be used to form an interface identifier for that
prefix. This mode is also SLAAC, but with a potentially stable interface identifier which
does not directly map to the interface's hardware address.</para>
<para>Note that the <literal>prefixstable</literal> algorithm uses both the interface's
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"interface's name" → "interface name"

prefix. This mode is also SLAAC, but with a potentially stable interface identifier which
does not directly map to the interface's hardware address.</para>
<para>Note that the <literal>prefixstable</literal> algorithm uses both the interface's
name and MAC address in the hash used to compute the interface identifier, so if either of
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in the hash → as input to the hash

else {
if (*p == ':')
p++;
else
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, so if I specify "IPv6Token=prefixstableasdfasdfasdf" then it will be interpreted as "prefixstable". I think this needs to check that !*p here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not a separate. It can be added there itself. Hence it is reductant

@yuwata yuwata force-pushed the network-ipv6token-prefixstable branch from 30040c8 to 68248f4 Compare September 8, 2020 05:34
@yuwata
Copy link
Member Author

yuwata commented Sep 8, 2020

@keszybz Thank you for the review. Updated. Now all your comments are addressed. Setting the green label.

@yuwata yuwata added good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed and removed good-to-merge/with-minor-suggestions labels Sep 8, 2020
@keszybz
Copy link
Member

keszybz commented Sep 8, 2020

LGTM.

@keszybz keszybz removed the good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed label Sep 8, 2020
@keszybz keszybz merged commit a9aa8de into systemd:master Sep 8, 2020
@yuwata yuwata deleted the network-ipv6token-prefixstable branch September 8, 2020 11:38
@disich
Copy link

disich commented Nov 9, 2021

Trying to use sytemd-249 and setting IPv6Token=prefixstable.
However, this address is not the same as what I get by directly setting addr_gen_mode=2 and the specifying stable_secret with sysctl. Additionally 'ip addr show' does not report this address as stable-privacy. Is there a way for me to specify stable_secret while using systemd-networkd? Is there a retain the stable-privacy address as generated by the kernel.

@yuwata
Copy link
Member Author

yuwata commented Nov 9, 2021

@disich I guess IPv6LinkLocalAddressGenerationMode=stable-privacy and IPv6StableSecretAddress= suffices what you want.

@disich
Copy link

disich commented Nov 10, 2021

@yuwata
I am using these already but it only produces a stable-privacy link local address (fe80::) for me. The link local address using systemd-networkd is identical to what kernel generates by directly setting the parameters with sysctl.
However, for global address based on RA:
Looking into the systemd-249 code (my first attempt to understand this code), it appears /etc/machine-id is used.
Ref: networkd-ndisc.c in make_stableprivate_address.
r = sd_id128_get_machine_app_specific(NDISC_APP_ID, &secret_key);).
eventually sd_id128_get_machine reads /etc/machine-id.
Is this reading correct? Can we have an option that will generate global stable-privacy address as the kernel would.

@yuwata
Copy link
Member Author

yuwata commented Nov 10, 2021

@disich Right. The IPv6Token=prefixstable does NOT mean the generated address is the same as the one by kernel.
The RFC allows to use arbitrary hash func to generate the address.

@disich
Copy link

disich commented Nov 10, 2021

@yuwata : Thanks, Agree thats its not about RFC compliance. Its about how stable my machine-id will be if we migrate to another linux distribution. We wanted to have the stable-privacy address to be constant even if we change distribution. So I was planning to hash the serial number of our embedded device (or something similar) and specify it as a stable-secret. A new ehancement in systemd-networkd which lets me specify stable secret for global ipv6 address would be awesome enhancement.
In parallel, I will check how we can keep our machine-id constant even if we migrate distributions.

@yuwata
Copy link
Member Author

yuwata commented Nov 10, 2021

@disich Yeah. As you can see, the address is generated with

  1. machine-ID
  2. interface name
  3. prefix
  4. (and internal counter)

So, keeping the same machine-ID and interface name should be basically enough when changing distribution.

@disich
Copy link

disich commented Nov 12, 2021

@yuwata Appreciate you looking into. I think this is good for most but not for systems which deploy redundancy.
Our device is in a chassis with cards having 1:1 redundancy. Till now we only support eui64 so they get the same RA derived IP (they share same MAC but only Active brings up its network interface). However, they do not share the same machine-id. So this will cause them to get a different stable-privacy address.
Do you think the community may be willing to take up an enhancement to add a config file parameter where we can specify the stable_secret (instead of machine-id). Or provide an option where we can use this functionality from the kernel. Currently this is already allowed but only for link local address (using IPv6LinkLocalAddressGenerationMode).

@yuwata
Copy link
Member Author

yuwata commented Nov 13, 2021

@disich Let's discuss at #21345.

tatokis added a commit to tatokis/netplan that referenced this pull request Jun 16, 2024
The relevant systemd pull request has long been merged, so add support
for IPv6Token=prefixstable in the networkd generator.

systemd/systemd#16618
tatokis added a commit to tatokis/netplan that referenced this pull request Jun 16, 2024
The relevant systemd pull request has long been merged, so add support
for IPv6Token=prefixstable in the networkd generator.

systemd/systemd#16618
tatokis added a commit to tatokis/netplan that referenced this pull request Jul 16, 2024
The relevant systemd pull request has long been merged, so add support
for IPv6Token=prefixstable in the networkd generator.

systemd/systemd#16618
slyon pushed a commit to canonical/netplan that referenced this pull request Jul 17, 2024
The relevant systemd pull request has long been merged, so add support
for IPv6Token=prefixstable in the networkd generator.

systemd/systemd#16618
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Development

Successfully merging this pull request may close these issues.

Request support Semantically Opaque Interface Identifiers with IPv6 (SLAAC) RFC 7217

5 participants