Andrew Ayer

Getting rdiscd

Building rdiscd

Run make and make install. See the README for advanced build options.

Dependencies

rdiscd depends on libndp v1.2 or higher.

To build rdiscd, you need:

• GNU Make
• A C++ compiler supporting C++11 (e.g. GCC 4.7 or higher)
• Development headers for libndp

Current Status

The current version of rdiscd is 0.6, released on 2017-04-16. rdiscd aims to be bug-free and reliable, meaning it shouldn't crash or malfunction. It has been successfully used in production on servers, desktops, and laptops. It contains basic support for autoconfiguring addresses and the default gateway, but does not support route or DNS server advertisements.

As of 2019, rdiscd is no longer under active development. It will receive critical bug fixes but new features are unlikely to be added.

Project Resources

• Git Repository: https://agwa.name/git/rdiscd.git (GitHub Mirror)
• Announcement List (low traffic): Subscribe Archives
• Discussion List (help / questions): rdiscd-discuss@lists.cloudmutt.com Subscribe Archives
• Issue Tracker

For help or questions, send mail to the discussion list, rdiscd-discuss@lists.cloudmutt.com. To report a bug or make a feature request, please open an issue at GitHub or send mail to the discussion list. To contribute code, please send a properly-formatted patch to the discussion list, or open a pull request at GitHub.

To learn about new releases, subscribe to the announcement list, or watch the GitHub project.

Documentation

• Change Log
• README
• README for Debian

Credits

rdiscd was written by Andrew Ayer.

rdiscd is inspired by the userspace SLAAC implementation in NetworkManager, and some code is based on the code found therein.

rdiscd contains a SHA-256 implementation by Colin Percival.

rdiscd would not be possible without libndp, by Jiri Pirko.

Security

rdiscd has been designed and implemented with security in mind. Safe, high-level C++ constructs are used whenever possible to reduce the chance of programmer error. Low-level, potentially-unsafe code is kept to a minimum and written very carefully when it's necessary. In addition, I have audited the code of libndp, the NDP library used by rdiscd. I found one vulnerability, CVE-2014-3554, which is fixed as of libndp 1.4.

By necessity, rdiscd requires privilege, as it configures the system's networking and uses raw sockets. To mitigate the potential impact of a security vulnerability in rdiscd or libndp, rdiscd supports privilege separation. The process that handles NDP packets from the network runs as an unprivileged user in an empty and unwritable root directory, and passes configuration information to the privileged process over a UNIX domain socket using a simple and easily-audited protocol. The privileged process never talks directly to the network.

To use privilege separation, you must pass the name of an unprivileged user to the -u option (you should use a dedicated user for rdiscd), and a root directory to the -r option (you should use an empty and unwritable directory). Privilege separation is enabled by default in the Debian package, with no manual configuration required.

If you find a security vulnerability in rdiscd, please contact me privately, optionally using my PGP key, EF5D 84C1 838F 2EB6 D896 8C04 1037 8EFC 2080 080C.

Legalese

Copyright © 2014 Andrew Ayer

Licensed predominantly under the GPLv3. Also contains code licensed under more permissive GPL-compatible licenses.

rdiscd is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.