Brandon Applegate
2017-Aug-28 18:18 UTC
Feature request - Control of IPv6 source address selection
Hello, Disclaimer: Apologies if this has been covered on this list before. From my google searches - I haven?t seen it (i.e. a thread on this list archive). I?d love for there to be a config option to control IPv6 source address selection - specifically temp/privacy vs. non. The issue that I (and others over the years) see is that when there is a long lived ssh connection (i.e. days or > 1 week) - if this connection was sourced from a temp/privacy address - the socket will get killed when this address finally expires and falls off the interface. Being able to turn a knob and get client connections initiated from a non-privacy address would be great. There have been some bug reports in downstream projects over time: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859270 https://bugzilla.redhat.com/show_bug.cgi?id=512032 The RedHat bug even has some patches submitted - albeit on very old source at this point. I do think there is good discussion in these - especially the RedHat bug. Beyond implementing it - the one thing that springs to my mind that might be a point of discussion would be what the default is - i.e. source from privacy or source from ?public?. My (selfish) opinion would be to default from public (to allow long lived connections by default). However, defaulting to using privacy addresses ensures that users who aren?t even aware of this knob would still enjoy the benefits of privacy addresses. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170828/a4b5f8d6/attachment.asc>
Darren Tucker
2017-Aug-29 00:32 UTC
Feature request - Control of IPv6 source address selection
On 29 August 2017 at 04:18, Brandon Applegate <brandon at burn.net> wrote:> > I?d love for there to be a config option to control IPv6 source address > selection - specifically temp/privacy vs. non.Can you use BindAddress [static_ipv6_address] in ~/.ssh/config? Failing that you can use ProxyCommand to implement whatever behaviour you want. The issue that I (and others over the years) see is that when there is a> long lived ssh connection (i.e. days or > 1 week) - if this connection was > sourced from a temp/privacy address - the socket will get killed when this > address finally expires and falls off the interface. Being able to turn a > knob and get client connections initiated from a non-privacy address would > be great. > > There have been some bug reports in downstream projects over time: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859270 > https://bugzilla.redhat.com/show_bug.cgi?id=512032The interface from RFC5014 doesn't seem to be widely supported (Linux was the only implementation I could find in a brief search). -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.