Atul Anand <atul...@gmail.com> writes: > So the mechanism should be like obtain pac_url from DHCP4 first ( for > the obvious reasons ) > if NM hasn't recieved go for pac_url from DHCP6 .
Is there such a thing as a wpad URL option for DHCPv6? I couldn't find any in the list on http://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-2 but I could have missed it. There sure are a lot of useless options with limited or no implementation in DHCPv6 too nowadays.... > Whatever NM recieve > first should be pushed into PacRunner . DHCP servers must have been > configured for use ...so using one should not abuse the other . :) > And there is no doubt over DHCP[4,6] vs WPAD via DNS .The other one > has a security loophole. > Implementing WPAD via DNS is not our priority now , it comes later Please don't. WPAD via DNS is a security nightmare. Have your friendly DNS resolver operator send over some query logs for wpad host names, and you'll quickly realize that there is no end to the attack vectors. The basic problem is that there is no way to establish a "safe" base domain. And if there were, there would be no way to know how far up the tree is safe. Or if dynamic registration of "wpad" is allowed within that domain, ref http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093 Might be "fixed" in Windows, but how about other dynamic zones? Network admins can just as easily configure the DHCP option. There is no need for the DNS thing. Bjørn _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
