[Cerowrt-devel] dnsmasq ipv6 stuff

Chris Lawrence lordsutch at gmail.com
Tue Jan 22 19:14:17 EST 2013


On Tue, Jan 22, 2013 at 6:12 PM, Dave Taht <dave.taht at gmail.com> wrote:
> My own objection to ::1 is that provides both an easy mneumonic for people
> to manage their networks AND an easier vector for attacks from the outside
> world.
>
> J.random.badscript only has to ping ::1 on every subnet in your delegation
> to try and hit all the routers.

True, although I think that's pretty much unavoidable given the design
of ipv6 though (isn't ::1 always the router for the subnet)?  You
could always honeypot or Turing pit the other 2^16-(n) subnets if
you're really paranoid about someone finding your router without a
valid IPv6 address to start guessing with.

The source code also seems to support using
dhcp-range=::,constructor=*,ra-names,ra-stateless (etc.).  I'm not
sure what dropping the "1" does, exactly, not having perfect ipv6-foo
skills yet.


Chris



More information about the Cerowrt-devel mailing list