openssh bugs - Aug 2016 - [Bug 2606] New: IPv6 bind address vs autoconfiguration privacy

https://bugzilla.mindrot.org/show_bug.cgi?id=2606

            Bug ID: 2606
           Summary: IPv6 bind address vs autoconfiguration privacy
           Product: Portable OpenSSH
           Version: -current
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: djm at mindrot.org

from
https://github.com/wertarbyte/openssh-portable/commit/028bb9a90bef340f3afe0fca35cb747ac9e634a2

add config option to select the type of IPv6 address
When using IPv6 autoconfiguration, the IP address is deducted using the
unique
hardware address of the network card and the announced network prefix.
Since
this might lead to privacy issues, most operating systems generate
pseudo-random addresses that are rotated in regular intervals.

This can be a problem for long-running connections if a address is
invalidated
while still in use - the connection "hangs". Even though expired
addresses are
usually retained for a long timeframe to prevent this, accidental dis-
and
reconnection (e.g. when using a wireless network) flushes the list of
previously used addresses.

By setting appropiate socket options, the kernel can be instructed to
use the
public (and static) source address for the outgoing connection. This
change
implements this functionality for SSH, adding a configuration option
"Ipv6BindPref" that can be set to "pub(lic)",
"t(e)mp" or just "none"
(which is
the default), indicating the preference for the address to be used.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2606

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 2862
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2862&action=edit
reuse BindAddress for this functionality

The aforementioned git branch has a patch that adds an Ipv6BindPref
option to ssh(1). IMO this is overkill and it would be better to
support this by reusing BindAddress.

This patch attempts this, but I'm unable to test it because my Linux
system lacks this sockopt.

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2606

Stefan Tomanek <stefan.tomanek-mindrot at wertarbyte.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2862|0                           |1
        is obsolete|                            |
                 CC|                            |stefan.tomanek-mindrot at wert
                   |                            |arbyte.de

--- Comment #2 from Stefan Tomanek <stefan.tomanek-mindrot at
wertarbyte.de> ---
Created attachment 2863
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2863&action=edit
extend BindAddress option to select the type of IPv6 src address

I made a few tweaks to the patch(es) and separated the socket
manipulation from the command line parsing code - so someone fluent in
*BSD or *x can add this functionality easily for those platforms.

Source address types are now selected by prefixing the keyword
"pub(lic)" and "t(e)mp" with a precentag sign - so this will
not
collide with hostnames.

github reference:
https://github.com/wertarbyte/openssh-portable/compare/master...bindaddress_ipv6_pref

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2606

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2863|0                           |1
        is obsolete|                            |

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Created attachment 2865
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2865&action=edit
revised patch

Include correct header. Support a couple more aliases for BindAddress.

After reading more about the sockopt, I'm a bit more ambivalent about
this. The IPV6_ADDR_PREFERENCES option originated from RFC5014[1],
which is an Informational RFC. So far only Linux supports it, but the
option isn't exposed in glibc headers - you have to include the kernel
linux/in6.h header directly. It doesn't seem to be documented in any of
the socket manpages either.

IMO it might be a bit soon for OpenSSH to implement this. 

[1] https://tools.ietf.org/html/rfc5014

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2606

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #4 from Darren Tucker <dtucker at dtucker.net> ---
OS X High Sierra has the following which might be related in
/usr/include/netinet6/in6.h:

/* int; prefer temporary addresses as the source address. */
#define IPV6_PREFER_TEMPADDR    63

-- 
You are receiving this mail because:
You are watching the reporter of the bug.
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2606

martin ? <bugzilla.mindrot.org at pobox.madduck.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugzilla.mindrot.org at pobox.
                   |                            |madduck.net

--- Comment #5 from martin ? <bugzilla.mindrot.org at pobox.madduck.net>
---
What is the status of this patch? Can I do something to help its
acceptance?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching the reporter of the bug.
You are watching someone on the CC list of the bug.