[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Getting domU vif's MAC address from dom0

  • To: xen-users@xxxxxxxxxxxxxxxxxxxx
  • From: Andy Smith <andy@xxxxxxxxxxxxxx>
  • Date: Thu, 26 Sep 2024 01:23:10 +0000
  • Delivery-date: Thu, 26 Sep 2024 01:23:55 +0000
  • List-id: Xen user discussion <xen-users.lists.xenproject.org>
  • Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
Hi,

On Thu, Sep 26, 2024 at 12:12:45AM +0000, Mike wrote:
> Andy Smith wrote:
> > the IPv6 link-local
> > address inside the domU, which can be calculated from the MAC address
> 
> That sounds fragile.  Doesn't RFC 8064 undermine that logic?

Interesting question!

That token is used for generating global scope addresses, but I'm not
aware that it typically applies to link-local link scope addresses. I'm
referring to the ones inside fe80::/10.

In section 3 of RFC 8064 it says this:

    https://www.rfc-editor.org/rfc/rfc8064.html#section-3

   Nodes SHOULD implement and employ [RFC7217] as the default scheme for
   generating stable IPv6 addresses with SLAAC.  A link layer MAY also
   define a mechanism for stable IPv6 address generation that is more
   efficient and does not address the security and privacy
   considerations discussed in Section 1.

What I take from this is:

- RFC 8064 only applies to addresses generated with SLACC. Link scope
  addresses are not generated with SLAAC. They exist even when you're
  not connected to a network.

- Link scope addresses are allowed to ignore the security and privacy
  considerations from RFC 8064.

I haven't noticed link scope addresses using the RFC 8064 token before
on Linux so I'm hoping no Linux does that. To try to check this, on this
particular Ubuntu 24.04 domU I added:

ipv6-address-token: "::bfbf:bfbf"

to the relevant section of /etc/netplan/50-cloud-init.yaml in order to
set the token, did "sudo netplan generate" and then rebooted.

When it came back up, the link-local address was still the same:

$ ip --brief -6 address show dev enX0
enX0             UP             fe80::216:5eff:fe00:239/64

and I verified that this setting was in fact in place:

$ sudo grep Token /run/systemd/network/10-netplan-enX0.network 
IPv6Token=static:::bfbf:bfbf

and also:

$ ip token get
token ::191.191.191.191 dev enX0

seems to confirm that this token is in use.

so, I do not think that on Linux the IPv6 token has any influence on the
generation of the link scope address, only for any SLAAC global scope
addresses and privacy addresses.

I must admit though that I do not have SLAAC enabled for letting these
domUs pick their own addresses and do not wish to enable that just to
test this. Possibly if I did have SLAAC on that network maybe things
could be different.

However, even if it does end up that there is some way to alter the
default link scope address on Linux, I think I am okay with just telling
people not to do that! 😀

I've searched around a bit and it seems that Windows might by default
use a random token to generate link scope addresses as well, so maybe
others do. I am only running Linux though. Again unless this is rife
amongst Linux distros I would be okay with telling people to disable
that.

Thanks,
Andy

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.