net: ipv6: Initial support for privacy extension

This creates support for IPv6 privacy extensions which is described
in RFC 4941. This will also add API that can be used to add IPv6
prefixes to a white or black list privacy extension filter.

Fixes #9349

Signed-off-by: Jukka Rissanen <[email protected]>

Author: jukkar

include/net/net_if.h

@@ -65,10 +65,29 @@ struct net_if_addr {
 	/** What is the current state of the address */
 	enum net_addr_state addr_state;
 
-#if defined(CONFIG_NET_IPV6_DAD) && defined(CONFIG_NET_NATIVE_IPV6)
+#if defined(CONFIG_NET_NATIVE_IPV6)
+#if defined(CONFIG_NET_IPV6_PE_ENABLE)
+	/** Address creation time. This is used to determine if the maximum
+	 * lifetime for this address is reached or not. The value is in seconds.
+	 */
+	u32_t addr_create_time;
+
+	/** Preferred lifetime for the address in seconds.
+	 */
+	u32_t addr_preferred_lifetime;
+
+	/** Address timeout value. This is only used if DAD needs to be redone
+	 * for this address because of earlier DAD failure. This value is in
+	 * seconds.
+	 */
+	s32_t addr_timeout;
+#endif
+
+#if defined(CONFIG_NET_IPV6_DAD)
 	/** How many times we have done DAD */
 	u8_t dad_count;
 #endif
+#endif /* CONFIG_NET_NATIVE_IPV6 */
 
 	/** Is the IP address valid forever */
 	u8_t is_infinite : 1;
@@ -79,7 +98,10 @@ struct net_if_addr {
 	/** Is this IP address usage limited to the subnet (mesh) or not */
 	u8_t is_mesh_local : 1;
 
-	u8_t _unused : 5;
+	/** Is this IP address temporary and generated for example by
+	 * IPv6 privacy extension (RFC 4941)
+	 */
+	u8_t is_temporary : 1;
 };
 
 /**
@@ -464,6 +486,20 @@ struct net_if {
 
 	/** Network interface instance configuration */
 	struct net_if_config config;
+
+	/** Network interface specific flags */
+	/** Enable IPv6 privacy extension (RFC 4941), this is enabled
+	 * by default if PE support is enabled in configuration.
+	 */
+	u8_t pe_enabled : 1;
+
+	/* If PE is enabled, then this tells whether public addresses
+	 * are preferred over temporary ones for this interface.
+	 */
+	u8_t pe_prefer_public : 1;
+
+	u8_t _unused : 6;
+
 } __net_if_align;
 
 /**

include/net/net_ip.h

@@ -1406,6 +1406,47 @@ static inline u8_t net_priority2vlan(enum net_priority priority)
  */
 const char *net_family2str(sa_family_t family);
 
+#if defined(CONFIG_NET_IPV6_PE_ENABLE)
+/**
+ * @brief Add IPv6 prefix as a privacy extension filter.
+ *
+ * @details Note that the filters can be either black listing or white listing.
+ *
+ * @param addr IPv6 prefix
+ * @param is_blacklist Tells if this filter for white listing or black listing.
+ *
+ * @return 0 if ok, <0 if error
+ */
+int net_ipv6_pe_add_filter(struct in6_addr *addr, bool is_blacklist);
+
+/**
+ * @brief Delete IPv6 prefix from privacy extension filter list.
+ *
+ * @param addr IPv6 prefix
+ *
+ * @return 0 if ok, <0 if error
+ */
+int net_ipv6_pe_del_filter(struct in6_addr *addr);
+
+#else /* CONFIG_NET_IPV6_PE_ENABLE */
+
+static inline int net_ipv6_pe_add_filter(struct in6_addr *addr,
+					 bool is_blacklist)
+{
+	ARG_UNUSED(addr);
+	ARG_UNUSED(is_blacklist);
+
+	return -ENOTSUP;
+}
+
+static inline int net_ipv6_pe_del_filter(struct in6_addr *addr)
+{
+	ARG_UNUSED(addr);
+
+	return -ENOTSUP;
+}
+#endif /* CONFIG_NET_IPV6_PE_ENABLE */
+
 #ifdef __cplusplus
 }
 #endif

subsys/net/ip/CMakeLists.txt

@@ -30,6 +30,8 @@ zephyr_library_sources_ifdef(CONFIG_NET_IPV6         icmpv6.c nbr.c
                                                      ipv6.c ipv6_nbr.c)
 zephyr_library_sources_ifdef(CONFIG_NET_IPV6_MLD     ipv6_mld.c)
 zephyr_library_sources_ifdef(CONFIG_NET_IPV6_FRAGMENT     ipv6_fragment.c)
+zephyr_library_sources_ifdef(CONFIG_NET_IPV6_PE_ENABLE ipv6_pe.c)
+zephyr_library_sources_ifdef(CONFIG_NET_MGMT_EVENT   net_mgmt.c)
 zephyr_library_sources_ifdef(CONFIG_NET_ROUTE        route.c)
 zephyr_library_sources_ifdef(CONFIG_NET_STATISTICS   net_stats.c)
 zephyr_library_sources_ifdef(CONFIG_NET_TCP          connection.c tcp.c)

subsys/net/ip/Kconfig.ipv6

@@ -119,6 +119,77 @@ config NET_IPV6_RA_RDNSS
 	  Support Router Advertisement Recursive DNS Server option.
 	  See RFC 6106 for details. The value depends on your network needs.
 
+config NET_IPV6_PE_ENABLE
+	bool "Enable privacy extension (RFC 4941) support"
+	select MBEDTLS
+	help
+	  This enables IPv6 privacy extension (RFC 4941) support.
+	  The interface identifier is randomized and SLAAC addresses
+	  generated from it will expire. This requires that applications are
+	  prepared to use new IPv6 addresses when old ones will expire.
+	  Note that you should make sure that the value of config option
+	  CONFIG_NET_IF_UNICAST_IPV6_ADDR_COUNT should be large enough so that
+	  two PE generated IPv6 addresses can be added to the network interface
+	  at the same time.
+
+if NET_IPV6_PE_ENABLE
+
+config NET_IPV6_PE_FILTER_PREFIX_COUNT
+	int "Size of the IPv6 prefix filter list"
+	default 0
+	help
+	  Size of the white/black filter list of IPv6 prefixes. User can
+	  set filters at runtime and it is possible to enable or disable
+	  privacy extension support according to this filter list.
+	  By default no filters are enabled.
+
+config NET_IPV6_PE_PREFER_PUBLIC_ADDRESSES
+	bool "Prefer public preferred address over temporary one"
+	help
+	  Prefer public addresses over temporary addresses.
+
+config NET_IPV6_PE_TEMP_VALID_LIFETIME
+	int "Max lifetime for temporary address (in minutes)"
+	default 10080
+	help
+	  No temporary address should ever remain valid for longer than this
+	  value. The value is in minutes. Default value is 1 week (7*24*60).
+
+config NET_IPV6_PE_TEMP_PREFERRED_LIFETIME
+	int "Max preferred lifetime for temporary address (in minutes)"
+	default 1440
+	help
+	  No temporary address should ever remain preferred for longer than this
+	  value. The value is in minutes. Default value is 1 day (24*60).
+
+config NET_IPV6_PE_REGEN_ADVANCE
+	int "Regenerate advance time units"
+	default 5
+	help
+	  A temporary address is created only if the calculated Preferred
+	  Lifetime is greater than REGEN_ADVANCE time units.
+	  The value is in seconds.
+
+config NET_IPV6_PE_MAX_DESYNC_FACTOR
+	int "Max desync factor (in minutes)"
+	default 10
+	help
+	  This is the upper bound on DESYNC_FACTOR. The value is in minutes.
+	  The value DESYNC_FACTOR is a random value (different for each client)
+	  that ensures that clients don't synchronize with each other and
+	  generate new addresses at exactly the same time.
+
+config NET_IPV6_PE_TEMP_IDGEN_RETRIES
+	int "Max amount of failed DAD attempts"
+	default 3
+	help
+	  The node MUST perform duplicate address detection (DAD) on the
+	  generated temporary address. If after TEMP_IDGEN_RETRIES consecutive
+	  attempts no non-unique address was generated then there will be no
+	  attempt to generate temporary addresses for that interface.
+
+endif
+
 config NET_6LO
 	bool "Enable 6lowpan IPv6 Compression library"
 	default y if NET_L2_IEEE802154

subsys/net/ip/ipv6.h

@@ -483,4 +483,91 @@ void net_ipv6_mld_init(void);
 #define net_ipv6_nbr_init(...)
 #endif
 
+/**
+ * @brief Start IPv6 privacy extension procedure.
+ *
+ * @param iface Interface to use.
+ * @param prefix IPv6 prefix to use.
+ * @param vlifetime Lifetime of this IPv6 prefix (in seconds).
+ * @param preferred_lifetime Preferred lifetime of this IPv6 prefix (in seconds)
+ */
+#if defined(CONFIG_NET_IPV6_PE_ENABLE)
+void net_ipv6_pe_start(struct net_if *iface, const struct in6_addr *prefix,
+		       u32_t vlifetime, u32_t preferred_lifetime);
+
+#else
+static inline void net_ipv6_pe_start(struct net_if *iface,
+				     const struct in6_addr *prefix,
+				     u32_t vlifetime,
+				     u32_t preferred_lifetime)
+{
+	ARG_UNUSED(iface);
+	ARG_UNUSED(prefix);
+	ARG_UNUSED(vlifetime);
+	ARG_UNUSED(preferred_lifetime);
+}
+#endif /* CONFIG_NET_IPV6_PE_ENABLE */
+
+/**
+ * @brief Check if maximum number of Duplicate Address Detection (DAD) requests
+ *        have been done.
+ *
+ * @param count Number of DAD requests done.
+ *
+ * @return Return True if DAD can continue, False if max amount of DAD
+ *         requests have been done.
+ */
+#if defined(CONFIG_NET_IPV6_PE_ENABLE)
+bool net_ipv6_pe_check_dad(int count);
+#else
+static inline bool net_ipv6_pe_check_dad(int count)
+{
+	ARG_UNUSED(count);
+
+	return false;
+}
+#endif /* CONFIG_NET_IPV6_PE_ENABLE */
+
+/**
+ * @brief Initialize IPv6 privacy extension support for a network interface.
+ *
+ * @param iface Network interface
+ *
+ * @return Return 0 if ok or <0 if there is an error.
+ */
+#if defined(CONFIG_NET_IPV6_PE_ENABLE)
+int net_ipv6_pe_init(struct net_if *iface);
+#else
+static inline int net_ipv6_pe_init(struct net_if *iface)
+{
+	iface->pe_enabled = false;
+	iface->pe_prefer_public = false;
+
+	return 0;
+}
+#endif /* CONFIG_NET_IPV6_PE_ENABLE */
+
+typedef void (*net_ipv6_pe_filter_cb_t)(struct in6_addr *prefix,
+					bool is_blacklist,
+					void *user_data);
+
+/**
+ * @brief Go through all the IPv6 privacy extension filters and call callback
+ * for each IPv6 prefix.
+ *
+ * @param cb User supplied callback function to call.
+ * @param user_data User specified data.
+ *
+ * @return Total number of filters found.
+ */
+#if defined(CONFIG_NET_IPV6_PE_ENABLE)
+int net_ipv6_pe_filter_foreach(net_ipv6_pe_filter_cb_t cb, void *user_data);
+#else
+static inline int net_ipv6_pe_filter_foreach(net_ipv6_pe_filter_cb_t cb,
+					     void *user_data)
+{
+	return 0;
+}
+#endif
+
 #endif /* __IPV6_H */

subsys/net/ip/ipv6_nbr.c

@@ -2117,15 +2117,15 @@ static inline u32_t remaining_lifetime(struct net_if_addr *ifaddr)
 static inline void handle_prefix_autonomous(struct net_pkt *pkt,
 			struct net_icmpv6_nd_opt_prefix_info *prefix_info)
 {
+	struct net_if *iface = net_pkt_iface(pkt);
 	struct in6_addr addr = { };
 	struct net_if_addr *ifaddr;
 
 	/* Create IPv6 address using the given prefix and iid. We first
 	 * setup link local address, and then copy prefix over first 8
 	 * bytes of that address.
 	 */
-	net_ipv6_addr_create_iid(&addr,
-				 net_if_get_link_addr(net_pkt_iface(pkt)));
+	net_ipv6_addr_create_iid(&addr, net_if_get_link_addr(iface));
 	memcpy(&addr, &prefix_info->prefix, sizeof(struct in6_addr) / 2);
 
 	ifaddr = net_if_ipv6_addr_lookup(&addr, NULL);
@@ -2160,14 +2160,22 @@ static inline void handle_prefix_autonomous(struct net_pkt *pkt,
 	} else {
 		if (prefix_info->valid_lifetime ==
 		    NET_IPV6_ND_INFINITE_LIFETIME) {
-			net_if_ipv6_addr_add(net_pkt_iface(pkt),
-					     &addr, NET_ADDR_AUTOCONF, 0);
+			net_if_ipv6_addr_add(iface, &addr,
+					     NET_ADDR_AUTOCONF, 0);
 		} else {
-			net_if_ipv6_addr_add(net_pkt_iface(pkt),
-					     &addr, NET_ADDR_AUTOCONF,
+			net_if_ipv6_addr_add(iface, &addr, NET_ADDR_AUTOCONF,
 					     prefix_info->valid_lifetime);
 		}
 	}
+
+	/* If privacy extensions are enabled, then start the procedure for that
+	 * too.
+	 */
+	if (IS_ENABLED(CONFIG_NET_IPV6_PE_ENABLE) && iface->pe_enabled) {
+		net_ipv6_pe_start(iface, &prefix_info->prefix,
+				  prefix_info->valid_lifetime,
+				  prefix_info->preferred_lifetime);
+	}
 }
 
 static inline bool handle_ra_prefix(struct net_pkt *pkt)