Re: Proxy detection for IPv6 vs. Legacy IP
- From: Bjørn Mork <bjorn mork no>
- To: Atul Anand <atulhjp gmail com>
- Cc: David Woodhouse <dwmw2 infradead org>, NetworkManager Discussions <networkmanager-list gnome org>
- Subject: Re: Proxy detection for IPv6 vs. Legacy IP
- Date: Fri, 29 Apr 2016 22:20:24 +0200
Atul Anand <atulhjp gmail com> writes:
So the mechanism should be like obtain pac_url from DHCP4 first ( for
the obvious reasons )
if NM hasn't recieved go for pac_url from DHCP6 .
Is there such a thing as a wpad URL option for DHCPv6? I couldn't find
any in the list on
http://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-2
but I could have missed it. There sure are a lot of useless options
with limited or no implementation in DHCPv6 too nowadays....
Whatever NM recieve
first should be pushed into PacRunner . DHCP servers must have been
configured for use ...so using one should not abuse the other . :)
And there is no doubt over DHCP[4,6] vs WPAD via DNS .The other one
has a security loophole.
Implementing WPAD via DNS is not our priority now , it comes later
Please don't. WPAD via DNS is a security nightmare. Have your friendly
DNS resolver operator send over some query logs for wpad host names, and
you'll quickly realize that there is no end to the attack vectors. The
basic problem is that there is no way to establish a "safe" base
domain. And if there were, there would be no way to know how far up the
tree is safe. Or if dynamic registration of "wpad" is allowed within
that domain, ref
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093
Might be "fixed" in Windows, but how about other dynamic zones?
Network admins can just as easily configure the DHCP option. There is
no need for the DNS thing.
Bjørn
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]