Bug#1138288: ifupdown: enable Semantically Opaque Interface Identifiers with IPv6 SLAAC

[Callum Davies]

Package: ifupdown
Version: 0.8.45
Severity: wishlist
Tags: patch

Dear Debian Networking Team,

I've included a patch that adds an option "soii" to the auto method of
family inet6. When enabled, a secret (stored in /etc/network/soii.key)
is loaded into sysctl net.ipv6.conf.$if.stable_secret, which has the
side-effect of setting net.ipv6.conf.$if.addr_gen_mode=2. This is
sufficient to enable Semantically Opaque Interface Identifiers as
described in RFC 7217.

Setting net.ipv6.conf.$if.addr_gen_mode=0 earlier in ifup means that:
  ifdown $if; sed -i /soii/d /etc/network/interfaces; ifup $if
has the expected effect of disabling Semantically Opaque Interface
Identifiers. Doing this early in ifup rather than during ifdown means
that the following does not have the unexpected effect of changing the
machine's address:
  ifdown $if; ip link set dev $if up

I've also provided for your consideration machinery for generating
/etc/network/soii.key during package installation.

I've left soii's default value at 0, such that it is necessary to
change /etc/network/interfaces to enables SOIIs, but I will note that
RFC 8504 RECOMMENDs "that unless there is a specific requirement for
Media Access Control (MAC) addresses to be embedded in an Interface
Identifier (IID), nodes follow the procedure in [RFC7217] to generate
SLAAC-based addresses". I take this as RECOMMENDing setting soii's
default to 1 and waiting to see if anybody screams about it.

Yours,
    Callum Davies <c...@debian.crdavies.eu>

-- Package-specific info:
--- /etc/network/interfaces:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug wlp3s0
iface wlp3s0 inet6 auto
        soii on
        wpa-ssid xxx
        wpa-psk xxx
--- up and down scripts installed:
/etc/network/if-down.d:
total 4
-rwxr-xr-x 1 root root 759 Dec  2  2022 resolved
lrwxrwxrwx 1 root root  32 Apr 29 15:30 wpasupplicant -> 
../../wpa_supplicant/ifupdown.sh

/etc/network/if-post-down.d:
total 4
-rwxr-xr-x 1 root root 1413 Jul 24  2024 wireless-tools
lrwxrwxrwx 1 root root   32 Apr 29 15:30 wpasupplicant -> 
../../wpa_supplicant/ifupdown.sh

/etc/network/if-pre-up.d:
total 8
-rwxr-xr-x 1 root root 4185 Jul 24  2024 wireless-tools
lrwxrwxrwx 1 root root   32 Apr 29 15:30 wpasupplicant -> 
../../wpa_supplicant/ifupdown.sh

/etc/network/if-up.d:
total 8
-rwxr-xr-x 1 root root 4665 Dec 22  2023 resolved
lrwxrwxrwx 1 root root   32 Apr 29 15:30 wpasupplicant -> 
../../wpa_supplicant/ifupdown.sh



*** ifupdown.patch
diff --git a/debian/postinst b/debian/postinst
index 18c900d..94c49f5 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -25,6 +25,12 @@ if [ "$1" = "configure" ] ; then
       report_warn "/etc/network/interfaces does not exist"
     fi
   fi
+  if [ ! -f /etc/network/soii.key ] ; then
+    (
+      umask 077
+      od -An -x -N 16 /dev/random | sed 's/ //;y/ /:/' > /etc/network/soii.key
+    )
+  fi
 fi
 
 #DEBHELPER#
diff --git a/inet6.defn b/inet6.defn
index 0dc741a..8875d7c 100644
--- a/inet6.defn
+++ b/inet6.defn
@@ -14,6 +14,7 @@ method auto
 
   options
     privext int            -- Privacy extensions (RFC4941) (0=off, 1=assign, 
2=prefer)
+    soii int               -- Use Semantically Opaque Interface Identifiers 
(RFC7217) (0=off, 1=on) [0]
     accept_ra int          -- Accept router advertisements (0=off, 1=on, 
2=on+forwarding) [2]
     dhcp int               -- Use stateless DHCPv6 (0=off, 1=on)
     request_prefix int     -- Request a prefix through DHCPv6 Prefix 
Delegation (0=off, 1=on) [0]
@@ -22,6 +23,9 @@ method auto
 
   up
     modprobe -q net-pf-10 > /dev/null 2>&1 || true # ignore failure.
+    -sysctl -q -e -w net.ipv6.conf.%iface/.//%.addr_gen_mode=0
+    -sysctl -q -e -w net.ipv6.conf.%iface/.//%.stable_secret=`cat 
/etc/network/soii.key` \
+        if (var_true("soii", ifd))
     -[[sysctl -q -e -w net.ipv6.conf.%iface/.//%.use_tempaddr=%privext%]]
     -sysctl -q -e -w net.ipv6.conf.%iface/.//%.accept_ra=%accept_ra%
     -sysctl -q -e -w net.ipv6.conf.%iface/.//%.autoconf=1


-- System Information:
Debian Release: forky/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 7.0.10+deb14-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ifupdown depends on:
ii  adduser   3.155
ii  iproute2  7.0.0-1
ii  libc6     2.42-16

Versions of packages ifupdown recommends:
ii  dhcpcd-base [dhcp-client]  1:10.3.2-3

Versions of packages ifupdown suggests:
pn  ppp     <none>
pn  rdnssd  <none>

-- no debconf information