Hi Bjørn , Thanks for pointing that out . I found myself caught in the IP4v6 thing . :) Sure there is no predefined option for WPAD in DHCP6 . Also to note that option 252 wasn't predefined for the WPAD use too . It was an ITEF draft (1999) that came in and proposed that option 252 on *DHCP* server should be configured with WPAD url . There was no 4v6 thing that time . Maybe in future when "6" thing expands an option for WPAD can be proposed on it too . Though we can't predict that option code now . So we are requesting URL to DHCP4 . :)
For the WPAD via DNS , we too are concerned for its security issue . There was a plan to restrict the domain increment to 3 ( conventionally ) but for orgs using domain level less than 3 WPAD via DNS will cross the organisational boundary . We'll propose something *agreed* thing for this case . Atul On 4/30/16, Bjørn Mork <[email protected]> wrote: > Atul Anand <[email protected]> writes: > >> So the mechanism should be like obtain pac_url from DHCP4 first ( for >> the obvious reasons ) >> if NM hasn't recieved go for pac_url from DHCP6 . > > Is there such a thing as a wpad URL option for DHCPv6? I couldn't find > any in the list on > http://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-2 > but I could have missed it. There sure are a lot of useless options > with limited or no implementation in DHCPv6 too nowadays.... > >> Whatever NM recieve >> first should be pushed into PacRunner . DHCP servers must have been >> configured for use ...so using one should not abuse the other . :) >> And there is no doubt over DHCP[4,6] vs WPAD via DNS .The other one >> has a security loophole. >> Implementing WPAD via DNS is not our priority now , it comes later > > Please don't. WPAD via DNS is a security nightmare. Have your friendly > DNS resolver operator send over some query logs for wpad host names, and > you'll quickly realize that there is no end to the attack vectors. The > basic problem is that there is no way to establish a "safe" base > domain. And if there were, there would be no way to know how far up the > tree is safe. Or if dynamic registration of "wpad" is allowed within > that domain, ref > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093 > Might be "fixed" in Windows, but how about other dynamic zones? > > Network admins can just as easily configure the DHCP option. There is > no need for the DNS thing. > > > > Bjørn > _______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
