[Dnsmasq-discuss] stop-dns-rebind and IPv6

Jan 'RedBully' Seiffert kaffeemonster at googlemail.com
Thu Sep 9 00:24:00 BST 2010


2010/9/8 Simon Kelley <simon at thekelleys.org.uk>:
> dnsmasq at flyingout.name wrote:
[snip - IPv6 rebind filter failing]
>
> What IPv6 ranges need to be blocked? the IPv4-mapped ones obviously, but
> ::1 also?

Sure, it's the equivalent to 127.0.0.1

> What about the fe80:: link-local addresses.

I would say yes.
An attacker could see a/the mac address in a/the global IPv6 address,
and then try a rebind to the linklocal + mac.

sitelocal are deprecated (but better safe then sorry?), hmmm, what's
with unique local?

I have some code for my software here, but it's more a bogon filter:

bool combo_addr_is_public(const union combo_addr *addr)
{
	in_addr_t a;

// TODO: when IPv6 is common, change it
	if(unlikely(AF_INET6 == addr->s.fam))
	{
		const struct in6_addr *a6 = &addr->in6.sin6_addr;
		if(unlikely(IN6_IS_ADDR_UNSPECIFIED(a6)))
			return false;
		if(unlikely(IN6_IS_ADDR_LOOPBACK(a6)))
			return false;
		if(unlikely(IN6_IS_ADDR_MULTICAST(a6)))
			return false;
		if(unlikely(IN6_IS_ADDR_LINKLOCAL(a6)))
			return false;
		if(unlikely(IN6_IS_ADDR_SITELOCAL(a6)))
			return false;
		if(unlikely(IN6_IS_ADDR_UNIQUELOCAL_A(a6)))
			return false;
		if(unlikely(IN6_IS_ADDR_UNIQUELOCAL_B(a6)))
			return false;
		if(unlikely(IN6_IS_ADDR_DOCU(a6)))
			return false;
		/* keep test for v4 last */
		if(IN6_IS_ADDR_V4MAPPED(a6) ||
		   IN6_IS_ADDR_V4COMPAT(a6))
			a = a6->s6_addr32[3];
		else
			goto out;
	}
	else
		a = addr->in.sin_addr.s_addr;

	/* according to RFC 3330 & RFC 5735 */
	if(IP_CMP(a, 0xFFFFFFFF, SLASH32)) /* 255.255.255.255/32  Broadcast */
		return false;

.... rest of ipv4 part here ...

out:
	return true;
}


>
> Cheers,
>
> Simon.
>
>

Greetings
Jan

-- 
Murphy's Law of Combat
Rule #3: "Never forget that your weapon was manufactured by the
lowest bidder"



More information about the Dnsmasq-discuss mailing list