[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Jim Small jim.small at cdw.com
Sun Mar 17 23:05:14 CET 2013

Hi Karl,

You got me curious.  I setup Ubuntu Desktop 12.10.  On that release (fully patched), the default prefix policy table doesn't implement RFC 6724:
root at ubuntu12:~# ip addrlabel show
prefix ::1/128 label 0 
prefix ::/96 label 3 
prefix ::ffff: label 4 
prefix 2001::/32 label 6 
prefix 2001:10::/28 label 7 
prefix 2002::/16 label 2 
prefix fc00::/7 label 5 
prefix ::/0 label 1 

A 6724 compliant prefix policy table would be:
Prefix		Precedence	Label
::1/128		50		0
::/0		40		1
::ffff:0:0/96	35		4
2002::/16	30		2
2001::/32	5		5
fc00::/7		3		13
::/96		1		3
fec0::/10	1		11
3ffe::/16	1		12

Reviewing gai.conf I only see references to 3484:
root at ubuntu12:~# grep RFC /etc/gai.conf
# RFC 3484 governs the sorting.  But the RFC also says that system
#    Add another rule to the RFC 3484 label table.  See section 2.1 in
#    RFC 3484.  The default is:
#    This default differs from the tables given in RFC 3484 by handling
#    Add another rule to the RFC 3484 precedence table.  See section 2.1
#    and 10.3 in RFC 3484.  The RFC requires:
#    Add another rule to the RFC 3484 scope table for IPv4 addresses.
#    The definitions in RFC 3484 are equivalent to:

Most of the best Google hits found your blogs on the matter.  :-)  However, I thought I found something about a commit in the Linux kernel for 6724 support, but of course now I can't find it.

Also, how do you view precedence for the Linux prefix policy table?  The command "ip addr showlabel" only shows the prefixes and labels but not the precedence.  As you can see from the 6724 list, precedence is quite important.  The only great articles I've find about Linux prefix policies are these:

He mentions gai.conf but I'm still not completely clear on how updating this works.  Do you have to reboot for the system to use an updated version?  There's the reload option in gai.conf but per the man pages and common sense it seems undesirable.  I'm not clear what examines gai.conf when the system reloads either.  You can do some modifications with ip addrlabel but that doesn't let you set precedence.


More information about the Ipv6hackers mailing list