search

rootless-containers / slirp4netns

User-mode networking for unprivileged network namespaces
GNU General Public License v2.0
729 stars 82 forks source link

IPv6: hardcoded address `fd00::2` violates RFC 4193 #259

Open AkihiroSuda opened 3 years ago

AkihiroSuda commented 3 years ago

https://github.com/rootless-containers/slirp4netns/blob/v1.1.9/slirp4netns.1.md

Default configuration:

* MTU:               1500
* CIDR:              10.0.2.0/24
* Gateway/Host:      10.0.2.2    (network address + 2)
* DNS:               10.0.2.3    (network address + 3)
* IPv6 CIDR:         fd00::/64
* IPv6 Gateway/Host: fd00::2
* IPv6 DNS:          fd00::3

According to RFC 4193, the addresses in fd00::/8 seems to need to be random

https://tools.ietf.org/html/rfc4193 https://networkengineering.stackexchange.com/questions/30128/ipv6-ula-vs-link-local

(slirp4netns --enable-ipv6 is still experimental and we can have breaking changes)

AkihiroSuda commented 3 years ago

@giuseppe Could you take a look? What should we do with this?

giuseppe commented 3 years ago

is it really a risk for slirp4netns though? IPv6 is not routed so there is not really risk of collisions, or do you think we should just pick a random IP to honor the RFC? I am fine if we go this way (and if any problem arises users of slirp4netns can force the IP addr)

AkihiroSuda commented 3 years ago

I think honoring RFC is not necessarily, but probably we will eventually need to support specifying random addr. Not an urgent task.

Luap99 commented 3 years ago

I think it should pick a random one. For users who want a fixed subnet, a --cidr6 option should be added.

AkihiroSuda commented 3 years ago

@pfandl @Luap99 Anybody of you interested in opening a PR?

Luap99 commented 3 years ago

If I can find some time, sure, but probably not in the next few weeks.

pfandl commented 3 years ago

@AkihiroSuda do you want just commit https://github.com/pfandl/slirp4netns/commit/8cc216fb954d31d86dd1293faa578c6ad301e22d ?

AkihiroSuda commented 3 years ago

Thanks @pfandl for working on this!

pfandl commented 3 years ago

Thanks @pfandl for working on this!

* For compatibility, can we keep the current wrong behavior by default, and opt-in to the correct behavior with a new flag like `--ipv6-random`? I guess this will help Podman to support older version of slirp4netns and the new version simultaneously (cc @rhatdan)

yes

* Could you update the man page?

yes

* Could you use `strncpy` family rather than `strcpy` family?

yes

  • Would it be possible to drop dependency on libcrypt?

Not too sure about that, I tried to mimic the sample code from the RFC It is not clear to me if this is just a recommendation (at step 4 to compute a SHA1 hash) rather than a requirement. If it is a requirement and somebody knows how to compute the hash without libcrypt i guess we can drop the library, yes.

Can we take the necessary bits from here? https://code.woboq.org/gcc/libiberty/sha1.c.html

Also @AkihiroSuda as stated here https://github.com/rootless-containers/slirp4netns/issues/253#issuecomment-821138795 I took the mac of the lo device, which is zero, do you have any idea what we should take instead? See step 2 from the RFC .

pfandl commented 3 years ago

@AkihiroSuda can we bump libslirp version? I am already using the hostx_fwd functions and we need a fix there for IPv6 forwarding anyway and I think it would be less work for me to bring all in at once?

AkihiroSuda commented 3 years ago

Yes.

Using #if directive is more preferable, but not necessary if it too much complicates the code.

https://github.com/rootless-containers/slirp4netns/blob/631f361d196b3d2bfb9bd903ba3a335f622f87d1/main.c#L379

AkihiroSuda commented 3 years ago

SHA1

Dependency on libcrypt is fine, as it should be available on all distros.

I took the mac of the lo device, which is zero, do you have any idea what we should take instead? See step 2 from the RFC .

Why not take the MAC of tap0? If the MAC cannot be take, we can just use /dev/urandom.

pfandl commented 3 years ago

I think #if will work, thanks for the info. I guess it should be ready coming weekend.

pfandl commented 2 years ago

@AkihiroSuda with man page, do you mean README.md?

AkihiroSuda commented 2 years ago

No, I mean this

https://github.com/rootless-containers/slirp4netns/blob/master/slirp4netns.1

Generated from https://github.com/rootless-containers/slirp4netns/blob/master/slirp4netns.1.md with make generate-man

lel-amri commented 1 year ago

I'm late to the party. I prefer slirp4netns to support the RFC.

Thanks for your work, @pfandl. Note that the sample code for generating random Global IDs is just a sample. The minimal requirement is for the number to be pseudo-random. I believe getrandom(2) should answer this need.

Here is the current PR for this issue: https://github.com/rootless-containers/slirp4netns/pull/276 (It seems that GitHub did not link them when the new PR was created)