2010/9/8 Simon Kelley <si...@thekelleys.org.uk>: > dnsm...@flyingout.name wrote: [snip - IPv6 rebind filter failing] > > What IPv6 ranges need to be blocked? the IPv4-mapped ones obviously, but > ::1 also?
Sure, it's the equivalent to 127.0.0.1 > What about the fe80:: link-local addresses. I would say yes. An attacker could see a/the mac address in a/the global IPv6 address, and then try a rebind to the linklocal + mac. sitelocal are deprecated (but better safe then sorry?), hmmm, what's with unique local? I have some code for my software here, but it's more a bogon filter: bool combo_addr_is_public(const union combo_addr *addr) { in_addr_t a; // TODO: when IPv6 is common, change it if(unlikely(AF_INET6 == addr->s.fam)) { const struct in6_addr *a6 = &addr->in6.sin6_addr; if(unlikely(IN6_IS_ADDR_UNSPECIFIED(a6))) return false; if(unlikely(IN6_IS_ADDR_LOOPBACK(a6))) return false; if(unlikely(IN6_IS_ADDR_MULTICAST(a6))) return false; if(unlikely(IN6_IS_ADDR_LINKLOCAL(a6))) return false; if(unlikely(IN6_IS_ADDR_SITELOCAL(a6))) return false; if(unlikely(IN6_IS_ADDR_UNIQUELOCAL_A(a6))) return false; if(unlikely(IN6_IS_ADDR_UNIQUELOCAL_B(a6))) return false; if(unlikely(IN6_IS_ADDR_DOCU(a6))) return false; /* keep test for v4 last */ if(IN6_IS_ADDR_V4MAPPED(a6) || IN6_IS_ADDR_V4COMPAT(a6)) a = a6->s6_addr32[3]; else goto out; } else a = addr->in.sin_addr.s_addr; /* according to RFC 3330 & RFC 5735 */ if(IP_CMP(a, 0xFFFFFFFF, SLASH32)) /* 255.255.255.255/32 Broadcast */ return false; .... rest of ipv4 part here ... out: return true; } > > Cheers, > > Simon. > > Greetings Jan -- Murphy's Law of Combat Rule #3: "Never forget that your weapon was manufactured by the lowest bidder"