Re: IPv6: the same address can be added multiple times

Re: IPv6: the same address can be added multiple times

[kuznet]

Hello!

> It appears you can add _exactly_ same IPv6 address on an interface many
> times:

Yes. BTW, look here:

kuznet@dust:~ # ip -6 a ls sit0
7: sit0@NONE: <NOARP,UP> mtu 1480 qdisc noqueue
    inet6 ::127.0.0.1/96 scope host
    inet6 ::193.233.7.100/96 scope global
    inet6 ::193.233.7.100/96 scope global

I have two equal addresses inherited from one IPv4 address
on two interfaces. Nothing illegal.



> FWIW, KAME stack adds the address only once(, but BSD ifconfig(8)
> doesn't show errors when you try to do it again; just doesn't add the
> second one).

8)

> It looks like a check or two in kernel is missing, or is there some
> reasoning to this behaviour?

Well, it is one of well defined approaches (unlike KAME's one).
Alternative is to implement full set of options NLM_F_* like used
in IPv4 routing to block undefined cases. In IPv6 flags are hardwired
to NLM_F_CREATE|NLM_F_APPEND both for addresses and routes.

Alexey

Re: IPv6: the same address can be added multiple times

[Pekka Savola]

On Sun, 13 May 2001 kuznet@ms2.inr.ac.ru wrote:
> Hello!
>
> > It appears you can add _exactly_ same IPv6 address on an interface many
> > times:
>
> Yes. BTW, look here:
>
> kuznet@dust:~ # ip -6 a ls sit0
> 7: sit0@NONE: <NOARP,UP> mtu 1480 qdisc noqueue
>     inet6 ::127.0.0.1/96 scope host
>     inet6 ::193.233.7.100/96 scope global
>     inet6 ::193.233.7.100/96 scope global
>
> I have two equal addresses inherited from one IPv4 address
> on two interfaces. Nothing illegal.

Heh, I doubt there's an RFC that says "you MUST not be able to add the
same address twice to an interface".  I think it's kind of taken for
granted. ;-)

But it still looks dirty.  Also, it's easier to add it many times by
mistake; IPv4 addresses do not allow this.  And as you have to remove them
N times too, this may create even more confusion.

> > It looks like a check or two in kernel is missing, or is there some
> > reasoning to this behaviour?
>
> Well, it is one of well defined approaches (unlike KAME's one).
> Alternative is to implement full set of options NLM_F_* like used
> in IPv4 routing to block undefined cases. In IPv6 flags are hardwired
> to NLM_F_CREATE|NLM_F_APPEND both for addresses and routes.

Well, I can't really formulate an expert opinion as I'm not intimate how
this works on Linux, but I think KAME adds addresses to a structure where
duplicates aren't possible.

Also, what would be the other well defined approaches?  Quickly I can
think of only two, if "only one same address" isn't possible:
 1) never allow any address to be added at all
 2) no significant restrictions (==this)

I don't think the former is what people want either ;-)

Please Cc:.
-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

Re: IPv6: the same address can be added multiple times

[David S. Miller]

Pekka Savola writes:
 > But it still looks dirty.  Also, it's easier to add it many times by
 > mistake; IPv4 addresses do not allow this.  And as you have to remove them
 > N times too, this may create even more confusion.

There is this growing (think growing as in "fungus") set of thinking
that just because something can be misused, this is an argument
against it even existing.

I think this is wrong.  I'm seeing it a lot, especially on this list,
and it's becomming a real concern at least to me.

Most of the time the argument goes like:

1: "Well, we allow this because you can do usefull things X Y and
    Z as a result."

2: "Yeah, but this also lets you do stupid things like A B and
    C."

   translation: "It hurts when I do A B or C"

Most people know the appropriate response for the translation of
#2 ;-)

Later,
David S. Miller
davem@redhat.com

Re: IPv6: the same address can be added multiple times

[Kai Henningsen]

davem@redhat.com (David S. Miller)  wrote on 13.05.01 in <15103.18224.265350.877968@pizda.ninka.net>:

> Pekka Savola writes:
>  > But it still looks dirty.  Also, it's easier to add it many times by
>  > mistake; IPv4 addresses do not allow this.  And as you have to remove
>  > them N times too, this may create even more confusion.
>
> There is this growing (think growing as in "fungus") set of thinking
> that just because something can be misused, this is an argument
> against it even existing.

But that does not seem to be the argument here. Rather, it is "I can  
certainly see where this can cause harm, but I cannot see where it is  
useful for anything at all, so why do we have it?".

> I think this is wrong.  I'm seeing it a lot, especially on this list,
> and it's becomming a real concern at least to me.
>
> Most of the time the argument goes like:
>
> 1: "Well, we allow this because you can do usefull things X Y and
>     Z as a result."

What is X, Y and Z in this particular case? Nobody seems to have said  
that.

Incidentally, this thread is *very* similar to the "mount the exact same  
FS several times on the exact same mountpoint" thing. I'd expect to get a  
similar resolution (i.e., *don't* allow that).

MfG Kai

Re: IPv6: the same address can be added multiple times

[David Woodhouse]

davem@redhat.com said:
>  There is this growing (think growing as in "fungus") set of thinking
> that just because something can be misused, this is an argument
> against it even existing.

> I think this is wrong.  I'm seeing it a lot, especially on this list,
> and it's becomming a real concern at least to me. 

The removal of the perfectly sane get_module_symbol() and replacement with 
a less useful function which looks stuff up in a dynamic table instead of a 
static table built at link time is an example of this. Now I have horrible 
link order dependencies in code which was previously relatively clean. It 
sucks, and there was absolutely no reason for it.

The fact that it was done so late in 2.4-test without even a period of 
marking the original sane version as deprecated made it even worse.

Thinks... if I violently abuse inter_module_crap() will it suffer the same 
fate and can I replace it with get_module_symbol() again? :)

--
dwmw2

Re: IPv6: the same address can be added multiple times

[kuznet]

Hello!

>  2) no significant restrictions (==this)

When user asks to create some object, the only required thing
of any reasonable interface is to return an error when the object
is not added.

KAME's one is broken, ours is _one_ of right ones.


Another example of bad mistake is mine: I have made some crap with creating
tunnels: adding tunnel does not fail, when such tunnel already exists,
so that user has no idea, whether did it create tunnel (and should it
delete it) or someone another made this work. Note, that if we would
be able to create _duplicate_ tunnels on each new request (like IPv6 addresses),
this would be also right approach.

Alexey

Re: IPv6: the same address can be added multiple times

[Pekka Savola]

On Mon, 14 May 2001 kuznet@ms2.inr.ac.ru wrote:
> Hello!
>
> >  2) no significant restrictions (==this)
>
> When user asks to create some object, the only required thing
> of any reasonable interface is to return an error when the object
> is not added.

Please don't get stuck on that -- It wasn't the point ;-).

I pointed out KAME (and this seems to apply to IPv4 stack too) because it
would not add the same address twice.  The fact that it doesn't print out
an error message was just some wondering on the side; irrelevant from the
point of view discussed here (this duplicate error might have to special
cased in userland tools somehow though).

The command can be made print out the error message if that's what's
deemed important.


I guess BSD people have for some reason thought returning 0 on SIOCAIFADDR
for duplicates is ok.  Or perhaps it's a bug.  Investigating.

> KAME's one is broken, ours is _one_ of right ones.

I fail to see what the other right ones (ones that will actually add
an address too) are.  But that's not important. :-)

Cc: please.
-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords