Bug 2606

Summary:

IPv6 bind address vs autoconfiguration privacy

Product:

Portable OpenSSH

Reporter:

Damien Miller <djm>

Component:

ssh

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

NEW ---

Severity:

enhancement

CC:

bugzilla.mindrot.org, dtucker, stefan.tomanek-mindrot

Priority:

Version:

-current

Hardware:

Other

OS:

Linux

Attachments:

Description	Flags
reuse BindAddress for this functionality	none
extend BindAddress option to select the type of IPv6 src address	none
revised patch	none

Description Damien Miller 2016-08-19 11:49:13 AEST

from https://github.com/wertarbyte/openssh-portable/commit/028bb9a90bef340f3afe0fca35cb747ac9e634a2

add config option to select the type of IPv6 address
When using IPv6 autoconfiguration, the IP address is deducted using the unique
hardware address of the network card and the announced network prefix. Since
this might lead to privacy issues, most operating systems generate
pseudo-random addresses that are rotated in regular intervals.

This can be a problem for long-running connections if a address is invalidated
while still in use - the connection "hangs". Even though expired addresses are
usually retained for a long timeframe to prevent this, accidental dis- and
reconnection (e.g. when using a wireless network) flushes the list of
previously used addresses.

By setting appropiate socket options, the kernel can be instructed to use the
public (and static) source address for the outgoing connection. This change
implements this functionality for SSH, adding a configuration option
"Ipv6BindPref" that can be set to "pub(lic)", "t(e)mp" or just "none" (which is
the default), indicating the preference for the address to be used.

Comment 1 Damien Miller 2016-08-19 11:51:11 AEST

Created attachment 2862 [details]
reuse BindAddress for this functionality

The aforementioned git branch has a patch that adds an Ipv6BindPref option to ssh(1). IMO this is overkill and it would be better to support this by reusing BindAddress.

This patch attempts this, but I'm unable to test it because my Linux system lacks this sockopt.

Comment 2 Stefan Tomanek 2016-08-23 05:59:16 AEST

Created attachment 2863 [details]
extend BindAddress option to select the type of IPv6 src address

I made a few tweaks to the patch(es) and separated the socket manipulation from the command line parsing code - so someone fluent in *BSD or *x can add this functionality easily for those platforms.

Source address types are now selected by prefixing the keyword "pub(lic)" and "t(e)mp" with a precentag sign - so this will not collide with hostnames.

github reference: https://github.com/wertarbyte/openssh-portable/compare/master...bindaddress_ipv6_pref

Comment 3 Damien Miller 2016-08-23 10:40:50 AEST

Created attachment 2865 [details]
revised patch

Include correct header. Support a couple more aliases for BindAddress.

After reading more about the sockopt, I'm a bit more ambivalent about this. The IPV6_ADDR_PREFERENCES option originated from RFC5014[1], which is an Informational RFC. So far only Linux supports it, but the option isn't exposed in glibc headers - you have to include the kernel linux/in6.h header directly. It doesn't seem to be documented in any of the socket manpages either.

IMO it might be a bit soon for OpenSSH to implement this. 

[1] https://tools.ietf.org/html/rfc5014

Comment 4 Darren Tucker 2019-07-19 14:55:34 AEST

OS X High Sierra has the following which might be related in /usr/include/netinet6/in6.h:

/* int; prefer temporary addresses as the source address. */
#define IPV6_PREFER_TEMPADDR    63

Comment 5 martin ➬ 2020-05-02 19:31:05 AEST

What is the status of this patch? Can I do something to help its acceptance?