2010/9/8 Simon Kelley <si...@thekelleys.org.uk>:
> dnsm...@flyingout.name wrote:
[snip - IPv6 rebind filter failing]
>
> What IPv6 ranges need to be blocked? the IPv4-mapped ones obviously, but
> ::1 also?
Sure, it's the equivalent to 127.0.0.1
> What about the fe80:: link-local addresses.
I would say yes.
An attacker could see a/the mac address in a/the global IPv6 address,
and then try a rebind to the linklocal + mac.
sitelocal are deprecated (but better safe then sorry?), hmmm, what's
with unique local?
I have some code for my software here, but it's more a bogon filter:
bool combo_addr_is_public(const union combo_addr *addr)
{
in_addr_t a;
// TODO: when IPv6 is common, change it
if(unlikely(AF_INET6 == addr->s.fam))
{
const struct in6_addr *a6 = &addr->in6.sin6_addr;
if(unlikely(IN6_IS_ADDR_UNSPECIFIED(a6)))
return false;
if(unlikely(IN6_IS_ADDR_LOOPBACK(a6)))
return false;
if(unlikely(IN6_IS_ADDR_MULTICAST(a6)))
return false;
if(unlikely(IN6_IS_ADDR_LINKLOCAL(a6)))
return false;
if(unlikely(IN6_IS_ADDR_SITELOCAL(a6)))
return false;
if(unlikely(IN6_IS_ADDR_UNIQUELOCAL_A(a6)))
return false;
if(unlikely(IN6_IS_ADDR_UNIQUELOCAL_B(a6)))
return false;
if(unlikely(IN6_IS_ADDR_DOCU(a6)))
return false;
/* keep test for v4 last */
if(IN6_IS_ADDR_V4MAPPED(a6) ||
IN6_IS_ADDR_V4COMPAT(a6))
a = a6->s6_addr32[3];
else
goto out;
}
else
a = addr->in.sin_addr.s_addr;
/* according to RFC 3330 & RFC 5735 */
if(IP_CMP(a, 0xFFFFFFFF, SLASH32)) /* 255.255.255.255/32 Broadcast */
return false;
.... rest of ipv4 part here ...
out:
return true;
}
>
> Cheers,
>
> Simon.
>
>
Greetings
Jan
--
Murphy's Law of Combat
Rule #3: "Never forget that your weapon was manufactured by the
lowest bidder"
