use of #ifdef INET and #ifdef INET6 in the kernel sources
Hiroki Sato
hrs at FreeBSD.org
Thu Feb 28 08:00:54 UTC 2019
"Rodney W. Grimes" <freebsd at pdx.rh.CN85.dnsmgr.net> wrote
in <201902280158.x1S1wi7s053904 at pdx.rh.CN85.dnsmgr.net>:
fr> >
fr> > I know both of these groups still do exist.
fr> >
fr> > Also every code not compiled in is not an attack surface, where you
fr> > think it?s executed or not.
fr>
fr> This last reason is/was a prevelent one for me for a long time,
fr> diven ipv6 is trying to autoconfigure stuff and interfaces
fr> just get a link local address that is reachable that I would
fr> have to secure. Its was/is a royal pita to do that for lots of
fr> machines.
fr>
fr> Am I missing something in there is just some way to turn off the
fr> link local ipv6 address?
There is a way to disable automatic link-local address configuration
but completely turning it off prevents NDP from working. Having a
knob to restrict L3 communication over link-local addresses may be a
good compromise. At this moment, a packet filter is required to do
so.
-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20190228/77b316f6/attachment.sig>
More information about the freebsd-net
mailing list