DHCPv6 *still* broken for F17 alpha

Tore Anderson tore at fud.no
Fri Mar 2 21:39:24 UTC 2012

* Tom Callaway

> I know less than nothing about DHCPv6. I used the rule offered earlier
> in the thread by Paul Wouters. If there is a more appropriate ruleset,
> please tell me what it is and I'll regenerate the patch.

This one will certainly work (it's the patch attached bug #591630):

ip6tables -A INPUT -p udp --dport 546 -j ACCEPT

This one *most likely* works (it assumes /sbin/dhclient in Fedora will
*always* use a link-local source address when building a DHCPv6 request.
I believe that is the case, but I have not reviewed its source code to

ip6tables -A INPUT -p udp --dport 546 -d fe80::/64 -j ACCEPT

Also, the latter one might be much more desirable from a security
standpoint, as it prevents random people/attackers on the internet from
transmitting unsolicited packets to the DHCPv6 client. In order to
successfully transmit a packet to a node using its link-local address in
fe80::/64 as the destination address, you'll have to be on the same
link. And if you have an attacker on the same link, you're dead anyway -
matching the source address and/or source port adds nothing, those are
trivially spoofed.

Also, I removed the "-m state --state NEW" part, as I don't think doing
a stateful match on the packet adds anything but processing overhead.
After all, the reason for adding an explicit exception for DHCPv6 is
that it *can't* be successfully matched by the current ip6tables state
module. But I have no problems with it being included either, if it
makes anyone happier.

Best regards,
Tore Anderson

More information about the devel mailing list