Re: Proxy detection for IPv6 vs. Legacy IP

On Mon, 2016-05-09 at 14:35 +0200, Bjørn Mork wrote:
David Woodhouse <dwmw2 infradead org> writes:
There are users in corporate networks who *have* to use the proxies,
because direct connections to the outside world don't work.

Yes, and those networks will use DHCP to configure proxies.  Anything
else would be crazy.

Yeah, because corporate IT is *never* crazy. :)

I am fairly sure that our lot *don't* advertise the proxy with option
252. I also suspect I'd get nowhere in *asking* them to, since it isn't
required for Windows. I suppose I could try; they are actually quite
good these days.

But even if I fix it for my own users, that doesn't solve the general
case. I already *had* a hackish solution in a NM dispatcher script to
automatically detect being on *our* corporate network and prod the
right configuration into PacRunner.

And we *need* the general case to be solved. Because until
PacRunner/libproxy actually gives sane results in a reliable fashion, I
don't get to change distro packaging guidelines to read "Thou shalt use
libproxy by default". And without things actually *using* it, none of
this stuff actually makes any difference at all :)

Sure, a rogue network could still advertise in the search
domains in its DHCP response, and provide its own PAC content. But then
again, it could have just given you a DHCP option 252. Once the
attacker has *that* much control, I think you lost the game already.

Yes, a rogue network is one thing. No way to protect yourself there
of course.

The problem with using DNS for proxy config is that you aren't even
safe on a trusted network, unless you are very careful about which
domain names you use.  Most users won't know that their choice of
host name might have security implications.  Because it shouldn't.

True. But we're not talking about *always* using the corporate wpad
when we're outside the corporate network — only when the local DHCP
server actually give $ in the list of DNS search domains.

And yes, a rogue network *could* do that... but as noted, we lose that
game anyway.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]