Re: [Tails-dev] Please review and merge bugfix/disable-IPv6

Delete this message

Reply to this message
Author: anonym
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Please review and merge bugfix/disable-IPv6
29/11/12 17:06, intrigeri wrote:
> Hi,
>
> ticket: todo/really_block_ipv6
> branch: bugfix/disable-IPv6
> candidate for 0.16
> merged into experimental, design doc updated, no user doc needed.
>
> Two questions mainly aimed at anonym, but others' reviews are of
> course welcome too:
>
> 1. What was the purpose of `net.ipv6.conf.lo.disable_ipv6 = 1`
>    suggested on the ticket? It looks useless once you have the
>    "default" and "all" settings on.


No intention. Just ignore it.

> 2. May you please try to reproduce the IPv6 link-local multicast leak
>    in your test environment?


I can still find ICMPv6 packets with the guest's IPv6 address as the
source. But now I think they're "spoofed" by libvirt/KVM, or something.
If I check the pcap file in wireshark, it lists the following info for
the packets:

    Router Advertisement from <random MAC address>


Apparently that <random MAC address> is that of the virtual bridge that
libvirt is instructed to set up. Weird.

I merged this branch any way since it still makes sense. Defense in depth.

>    I could reproduce it neither with nor without the bugfix branch.


Assuming you too use libvirt, what is your network setup and sniffer setup?

Cheers!