Re: PATCH to mark IPv6 addresses DETACHED when down or link down

[Roy Marples <roy%marples.name@localhost>]

On 24/08/2016 12:51, Matthew Mondor wrote:
> On Mon, 22 Aug 2016 15:35:04 +0100
> Roy Marples <roy%marples.name@localhost> wrote:
> 
>> We don't allow to bind to duplicated addresses for very good reasons.
>> We currently don't allow you to bind to detached or tentative
>> addresses because, just like the duplicate address, it cannot be
>> currently used.
> 
> This was out of the scope of my situation, but this also means that
> because another system pretends to have an identical address on the
> network, this could result in an effective DoS preventing a legitimate
> daemon to bind(2) at startup?

I should point out that no IPv6 stack I know of currently allows you to
bind to a duplicate address.

In all of these cases, we might allow bind(2) to work, but sending any
data from an address marked tentative, detached or duplicated would
result in EADDRNOTAVAIL still. I'm currently working on a patch for this.

>> 2) Keep the current contract where a successful bind call guarantees
>> the address is currently usable. This means implementing one of the
>> above flags and patching daemons - something which is happening
>> outside of NetBSD anyway.
> 
> Wouldn't it be a special OS-specific sockoption?  Meaning that most
> daemons would simply expect standard behaviour and remain unpatched
> unless we fixed them ourselves? (and as a result, fail to bind at
> startup on disconnected devices).

While the socket options are indeed OS specific, the patches I've seen
are quite general and are like this

#ifdef IP_BINDANY
int one = 1;
setsockopt(s, IP_PROTOIP, IP_BINDANY, &one);
#endif

Roy