Re: Proxy detection for IPv6 vs. Legacy IP

From: Atul Anand <atulhjp gmail com>
To: Bjørn Mork <bjorn mork no>
Cc: David Woodhouse <dwmw2 infradead org>, NetworkManager Discussions <networkmanager-list gnome org>
Subject: Re: Proxy detection for IPv6 vs. Legacy IP
Date: Sat, 30 Apr 2016 12:58:20 +0530

Hi Bjørn ,

Thanks for pointing that out . I found myself caught in the IP4v6 thing . :)
Sure there is no predefined option for WPAD in DHCP6 . Also to note
that option 252 wasn't
predefined for the WPAD use too . It was an ITEF draft (1999) that
came in and proposed that
option 252 on *DHCP* server should be configured with WPAD url . There
was no 4v6 thing that time .
Maybe in future when "6" thing expands an option for WPAD can be
proposed on it too .
Though we can't predict that option code now .
So we are requesting URL to DHCP4 . :)

For the WPAD via DNS , we too are concerned for its security issue .
There was a plan to restrict the domain increment to 3 (
conventionally ) but for orgs using domain level less than 3
WPAD via DNS will cross the organisational boundary .
We'll propose something *agreed* thing for this case .


Atul

On 4/30/16, Bjørn Mork <bjorn mork no> wrote:

Atul Anand <atulhjp gmail com> writes:

So the mechanism should be like obtain pac_url from DHCP4 first ( for
the obvious reasons )
if NM hasn't recieved go for pac_url from DHCP6 .


Is there such a thing as a wpad URL option for DHCPv6?  I couldn't find
any in the list on
http://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-2
but I could have missed it.  There sure are a lot of useless options
with limited or no implementation in DHCPv6 too nowadays....

Whatever NM recieve
first should be pushed into PacRunner . DHCP servers must have been
configured for use ...so using one should not abuse the other . :)
And there is no doubt over DHCP[4,6] vs WPAD via DNS .The other one
has a security loophole.
Implementing WPAD via DNS is not our priority now , it comes later


Please don't.  WPAD via DNS is a security nightmare.  Have your friendly
DNS resolver operator send over some query logs for wpad host names, and
you'll quickly realize that there is no end to the attack vectors.  The
basic problem is that there is no way to establish a "safe" base
domain. And if there were, there would be no way to know how far up the
tree is safe. Or if dynamic registration of "wpad" is allowed within
that domain, ref
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093
Might be "fixed" in Windows, but how about other dynamic zones?

Network admins can just as easily configure the DHCP option.  There is
no need for the DNS thing.



Bjørn

References:
- Proxy detection for IPv6 vs. Legacy IP
  - From: David Woodhouse
- Re: Proxy detection for IPv6 vs. Legacy IP
  - From: Atul Anand
- Re: Proxy detection for IPv6 vs. Legacy IP
  - From: Bjørn Mork

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]