diff options
author | Darren 'Tadgy' Austin <darren@afterdark.org.uk> | 2021-03-08 19:18:51 +0000 |
---|---|---|
committer | Darren 'Tadgy' Austin <darren@afterdark.org.uk> | 2021-03-08 19:22:58 +0000 |
commit | 56ac0705da55800ce01e96d6a95433b90ab7f0bc (patch) | |
tree | cb6d13d6fc182bbac0e6bb9e1b7098c545e43e09 | |
parent | 9dca929b5f27a65c762ff3408a7a4c3d96a0bf4c (diff) | |
download | slacknetsetup-56ac0705da55800ce01e96d6a95433b90ab7f0bc.tar.xz |
Add SLAAC security and privacy options.
This patch adds some security and privacy enhancements to SLAAC configuration.
When SLAAC_PRIVIPGEN is "yes", address generation is enhanced with a secret
key for the interface set in SLAAC_SECRET. This prevents predictable
address generation.
When SLAAC_TEMPADDR is "yes", a temporary address is used with SLAAC.
Thanks to davjohn from LQ for the inital patches and help testing.
-rw-r--r-- | netconfig | 10 | ||||
-rw-r--r-- | rc.inet1 | 19 | ||||
-rw-r--r-- | rc.inet1.conf | 10 |
3 files changed, 37 insertions, 2 deletions
@@ -232,6 +232,16 @@ GATEWAY6="$GATEWAY6" #SLAAC_TIMEOUT[4]="15" # The default timeout for auto configuration to # wait for the interface to come up is 15 sec. # Increase the timeout if required. +#SLAAC_PRIVIPGEN[4]="yes" # When assigning addresses via SLAAC, use the + # 'private' (RFC7217) address generation method. + # It is advisable to also set SLAAC_SECRET[x]. +#SLAAC_SECRET[4]="xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx" + # When SLAAC_PRIVIPGEN[x]="yes" is set, this is + # the secret to be used. This must be in the + # form of an IPv6 address. When left unset, a + # random secret is used (this is the default). +#SLAAC_TEMPADDR[4]="yes" # Use a temporary address with SLAAC to enhance + # security. #USE_RA[4]="yes" # Accept router advertisements even when SLAAC # is disabled on the interface. #WLAN_ESSID[4]="DARKSTAR" # An example of how you can override _any_ @@ -329,6 +329,18 @@ if_up() { IF_UP=0 if [ -e /proc/sys/net/ipv6 ] && [ "${USE_DHCP6[$i]}" != "yes" ] && [ "${USE_SLAAC[$i]}" = "yes" ]; then # configure via SLAAC info_log "${1}: enabling SLAAC" + if [ "${SLAAC_PRIVIPGEN[$i]}" = "yes" ]; then + if [ -n "${SLAAC_SECRET[$i]}" ]; then + echo "${SLAAC_SECRET[$i]}" >/proc/sys/net/ipv6/conf/${1}/stable_secret + echo "2" >/proc/sys/net/ipv6/conf/${1}/addr_gen_mode + else + echo -n >/proc/sys/net/ipv6/conf/${1}/stable_secret + echo "3" >/proc/sys/net/ipv6/conf/${1}/addr_gen_mode + fi + fi + if [ "${SLAAC_TEMPADDR[$i]}" = "yes" ]; then + echo "2" >/proc/sys/net/ipv6/conf/${1}/use_tempaddr + fi # Enable accepting of RA packets, unless explicitly configured not to: if [ "${USE_RA[$i]}" = "no" ]; then debug_log "${1}: ignoring IPv6 RA" @@ -549,11 +561,14 @@ if_down() { # Bring the interface down: debug_log "/sbin/ip link set dev ${1} down" /sbin/ip link set dev ${1} down - # Reset autoconf and accept_ra back to defaults: + # Reset everything back to defaults: if [ -e /proc/sys/net/ipv6 ]; then - debug_log "${1}: resetting IPv6 autoconf and RA to defaults" + debug_log "${1}: resetting IPv6 configuration to defaults" cat /proc/sys/net/ipv6/conf/default/autoconf >/proc/sys/net/ipv6/conf/${1}/autoconf cat /proc/sys/net/ipv6/conf/default/accept_ra >/proc/sys/net/ipv6/conf/${1}/accept_ra + cat /proc/sys/net/ipv6/conf/defailt/use_tempaddr >/proc/sys/net/ipv6/conf/${1}/use_tempaddr + cat /proc/sys/net/ipv6/conf/default/addr_gen_mode >/proc/sys/net/ipv6/conf/${1}/addr_gen_mode + echo -n >/proc/sys/net/ipv6/conf/${1}/stable_secret fi # If the interface is a bridge, then destroy it now: [ -n "${BRNICS[$i]}" ] && br_close $i diff --git a/rc.inet1.conf b/rc.inet1.conf index 26ef87e..e952498 100644 --- a/rc.inet1.conf +++ b/rc.inet1.conf @@ -198,6 +198,16 @@ GATEWAY6="" #SLAAC_TIMEOUT[4]="15" # The default timeout for auto configuration to # wait for the interface to come up is 15 sec. # Increase the timeout if required. +#SLAAC_PRIVIPGEN[4]="yes" # When assigning addresses via SLAAC, use the + # 'private' (RFC7217) address generation method. + # It is advisable to also set SLAAC_SECRET[x]. +#SLAAC_SECRET[4]="xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx" + # When SLAAC_PRIVIPGEN[x]="yes" is set, this is + # the secret to be used. This must be in the + # form of an IPv6 address. When left unset, a + # random secret is used (this is the default). +#SLAAC_TEMPADDR[4]="yes" # Use a temporary address with SLAAC to enhance + # security. #USE_RA[4]="yes" # Accept router advertisements even when SLAAC # is disabled on the interface. #WLAN_ESSID[4]="DARKSTAR" # An example of how you can override _any_ |