From owner-freebsd-net@freebsd.org Fri Oct 11 17:45:22 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3D9B1156A46 for ; Fri, 11 Oct 2019 17:45:22 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46qb2T4Yfpz3Nh6; Fri, 11 Oct 2019 17:45:21 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id C6B583C0199; Fri, 11 Oct 2019 17:45:20 +0000 (UTC) Date: Fri, 11 Oct 2019 17:45:20 +0000 From: Brooks Davis To: Ben Woods Cc: Hiroki Sato , freebsd-net@freebsd.org, driesm.michiels@gmail.com, "roy@marples.name" Subject: Re: DHCPv6 client in base Message-ID: <20191011174520.GC53377@spindle.one-eyed-alien.net> References: <001e01d50b49$176104d0$46230e70$@gmail.com> <20190516.032012.517661495892269813.hrs@allbsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2JFBq9zoW8cOFH7v" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) X-Rspamd-Queue-Id: 46qb2T4Yfpz3Nh6 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of brooks@spindle.one-eyed-alien.net has no SPF policy when checking 199.48.129.229) smtp.mailfrom=brooks@spindle.one-eyed-alien.net X-Spamd-Result: default: False [-6.50 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; IP_SCORE(-3.60)[ip: (-9.40), ipnet: 199.48.128.0/22(-4.69), asn: 36236(-3.85), country: US(-0.05)]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_FIVE(0.00)[5]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[brooks@freebsd.org,brooks@spindle.one-eyed-alien.net]; FREEMAIL_TO(0.00)[gmail.com]; SIGNED_PGP(-2.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:36236, ipnet:199.48.128.0/22, country:US]; FROM_NEQ_ENVFROM(0.00)[brooks@freebsd.org,brooks@spindle.one-eyed-alien.net]; RCVD_COUNT_ZERO(0.00)[0] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Oct 2019 17:45:22 -0000 --2JFBq9zoW8cOFH7v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 11, 2019 at 08:32:59AM +0800, Ben Woods wrote: > On Mon, 7 Oct 2019 at 8:53 am, Ben Woods wrote: >=20 > > On Thu, 16 May 2019 at 2:25 am, Hiroki Sato wrote: > > > >> wrote > >> in <001e01d50b49$176104d0$46230e70$@gmail.com>: > >> > >> dr> Has anyone ever thought or considered integrating an IPv6 DHCP cli= ent > >> in > >> dr> base? > >> > > > > I would like to discuss whether dhcpcd is a better option to import into > > FreeBSD base, rather than wide-dhcp6. > > >=20 > Hi everyone, >=20 > I have been working on importing dhcpcd into FreeBSD base over the last f= ew > days, and should be ready to share something on phabricator for review th= is > weekend. >=20 > In addition to the normal review cycle, given I am a ports committer (I > don???t have a src commit bit), I would need this to be endorsed and appr= oved > by a src committer. >=20 > I have heavily utilised the Makefile and rc scripts from DragonFly BSD. >=20 > I don???t intend to include any changes to the kernel for improved dhcpcd > functionality as a part of this review - these could be made subsequently > if dhcpcd is committed. For now it would just be the same functionality as > if you used the net/dhcpcd port. DHCP is one of the most exposed attack surfaces in existence. We expect it to take input from explicitly untrustworthy networks and perform actions as root. It might be OK to import this as a stopgap only supporting IPv6, but without capsicum or privilege separation (as noted elsewhere in the thread) it seems unlikely to be a good idea enable it by default or replace the existing IPv4 dhclient. -- Brooks --2JFBq9zoW8cOFH7v Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJdoL+wAAoJEKzQXbSebgfAe0MH/1T+LI6dcz4zIs5B5pW829IW BVfRspJ+Oertr4kflenyJCIzR+3mtd1nC+R3nCatiflMoE+I351XhtQhjjMloRMa xHdJkVmAR+IhZV33iEmO6Pqq7vZ6nWtUjJxw2S3fmJV5JSwdOI7c3vCuyZb+JNHA 9M+YbavfWylCKqmbO7AvjJ9CvA9tjxbh5URZMmYywiefibcTOXONMpKJFcyu3VLG BCjbVKBiyIM+nEdWYlB3xEvNtNJZMWcfuPc47RldggCeqvxl2lcadPZC2faYeUIh M/N7NIuWBycZLqcSM32pizdB5xTUJKZm5POp2lj5KVwLp0VEtLWw2V4hcStGIaM= =AX2B -----END PGP SIGNATURE----- --2JFBq9zoW8cOFH7v--