From 37a59bc76da7e0b20be3cef1fcb1d5cb8fbc839d Mon Sep 17 00:00:00 2001
From: Ghanan Gowripalan <ghanan@google.com>
Date: Tue, 28 Apr 2020 16:01:11 -0700
Subject: Support IPv6 Privacy Extensions for SLAAC

Support generating temporary (short-lived) IPv6 SLAAC addresses to
address privacy concerns outlined in RFC 4941.

Tests:
- stack_test.TestAutoGenTempAddr
- stack_test.TestNoAutoGenTempAddrForLinkLocal
- stack_test.TestAutoGenTempAddrRegen
- stack_test.TestAutoGenTempAddrRegenTimerUpdates
- stack_test.TestNoAutoGenTempAddrWithoutStableAddr
- stack_test.TestAutoGenAddrInResponseToDADConflicts
PiperOrigin-RevId: 308915566
---
 pkg/tcpip/stack/stack.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'pkg/tcpip/stack/stack.go')

diff --git a/pkg/tcpip/stack/stack.go b/pkg/tcpip/stack/stack.go
index 41398a1b6..4a2dc3dc6 100644
--- a/pkg/tcpip/stack/stack.go
+++ b/pkg/tcpip/stack/stack.go
@@ -464,6 +464,10 @@ type Stack struct {
 	// (IIDs) as outlined by RFC 7217.
 	opaqueIIDOpts OpaqueInterfaceIdentifierOptions
 
+	// tempIIDSeed is used to seed the initial temporary interface identifier
+	// history value used to generate IIDs for temporary SLAAC addresses.
+	tempIIDSeed []byte
+
 	// forwarder holds the packets that wait for their link-address resolutions
 	// to complete, and forwards them when each resolution is done.
 	forwarder *forwardQueue
@@ -541,6 +545,21 @@ type Options struct {
 	//
 	// RandSource must be thread-safe.
 	RandSource mathrand.Source
+
+	// TempIIDSeed is used to seed the initial temporary interface identifier
+	// history value used to generate IIDs for temporary SLAAC addresses.
+	//
+	// Temporary SLAAC adresses are short-lived addresses which are unpredictable
+	// and random from the perspective of other nodes on the network. It is
+	// recommended that the seed be a random byte buffer of at least
+	// header.IIDSize bytes to make sure that temporary SLAAC addresses are
+	// sufficiently random. It should follow minimum randomness requirements for
+	// security as outlined by RFC 4086.
+	//
+	// Note: using a nil value, the same seed across netstack program runs, or a
+	// seed that is too small would reduce randomness and increase predictability,
+	// defeating the purpose of temporary SLAAC addresses.
+	TempIIDSeed []byte
 }
 
 // TransportEndpointInfo holds useful information about a transport endpoint
@@ -664,6 +683,7 @@ func New(opts Options) *Stack {
 		uniqueIDGenerator:    opts.UniqueID,
 		ndpDisp:              opts.NDPDisp,
 		opaqueIIDOpts:        opts.OpaqueIIDOpts,
+		tempIIDSeed:          opts.TempIIDSeed,
 		forwarder:            newForwardQueue(),
 		randomGenerator:      mathrand.New(randSrc),
 	}
-- 
cgit v1.2.3