[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Karl Auer kauer at into6.com.au
Mon Mar 18 01:50:19 CET 2013 

On Sun, 2013-03-17 at 22:05 +0000, Jim Small wrote:
> You got me curious.  I setup Ubuntu Desktop 12.10.  On that release
> (fully patched), the default prefix policy table doesn't implement RFC
> 6724:

It does mostly. The 6Bone and site-local stuff is missing, yes.
Different label values don't matter as long as they are all different,
different preference values only matter if they would order the prefixes
differently. It is extremely easy to change /etc/gai.conf so that it is
6724 compliant if you want that - just edit it with a text editor (but
see below).

> Most of the best Google hits found your blogs on the matter.

Aw, shucks :-)

> Also, how do you view precedence for the Linux prefix policy table?
> The command "ip addr showlabel" only shows the prefixes and labels but
> not the precedence.

I don't know, but you can literally just read /etc/gai.conf for the
precedences (see below for why). If you find a way to get the info
direct from the kernel, do tell us.

> He mentions gai.conf but I'm still not completely clear on how
> updating this works.  Do you have to reboot for the system to use an
> updated version?

No, you do NOT have to reboot the system, because rebooting the system
does precisely nothing as far as /etc/gai.conf and the precedence and
label tables are concerned :-)

It's a bit tricky; I do talk about it in my blog entry though
(http://biplane.com.au/blog/?p=122). 

Firstly, as far as I can tell, /etc/gai.conf is *completely ignored* as
far as label information is concerned. That is, it is not used at boot
time or any other time.

*Precedence* information is read out of /etc/gai.conf (if present) the
first time a process needs it, and thereafter it uses whatever it read
the first time. That is, it is per-process and isn't read at boot time
(except by processes that happen to run at boot time, of course).
Processes can be told not to cache the information by saying "reload
yes" in /etc/gai.conf. Since changes to /etc/gai.conf are going to be
rare - probably VERY rare - it makes sense not to worry too much about
this, and I strongly recommend you do NOT use the "reload" option,
because that will means very frequent unnecessary file access just in
case, once in a blue moon, the file actually changes. If you have very
long-running processes, you should probably just restart them if you
change the precedences in /etc/gai.conf.

The script I provide in my blog entry allows /etc/gai.conf to be used
more as you would expect. The contents are picked up at boot time and
delivered to the kernel using the "ip" program, and you can re-run the
script whenever you need to manually update things.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer                                          tel: +61-2-64957435
Into6                                              mob: +61-428-957160
www.into6.com.au        twitter.com/intosix        kauer at into6.com.au
GPG/PGP fingerprint: D8A4 A65A EE32 286F 1E36 55A4 0901 EEAF A785 1684

More information about the Ipv6hackers mailing list