DHCPv6 client in base

[Brooks Davis]

On Fri, Oct 11, 2019 at 08:32:59AM +0800, Ben Woods wrote:
> On Mon, 7 Oct 2019 at 8:53 am, Ben Woods <woodsb02 at gmail.com> wrote:
> 
> > On Thu, 16 May 2019 at 2:25 am, Hiroki Sato <hrs at freebsd.org> wrote:
> >
> >> <driesm.michiels at gmail.com> wrote
> >>   in <001e01d50b49$176104d0$46230e70$@gmail.com>:
> >>
> >> dr> Has anyone ever thought or considered integrating an IPv6 DHCP client
> >> in
> >> dr> base?
> >>
> >
> > I would like to discuss whether dhcpcd is a better option to import into
> > FreeBSD base, rather than wide-dhcp6.
> >
> 
> Hi everyone,
> 
> I have been working on importing dhcpcd into FreeBSD base over the last few
> days, and should be ready to share something on phabricator for review this
> weekend.
> 
> In addition to the normal review cycle, given I am a ports committer (I
> don???t have a src commit bit), I would need this to be endorsed and approved
> by a src committer.
> 
> I have heavily utilised the Makefile and rc scripts from DragonFly BSD.
> 
> I don???t intend to include any changes to the kernel for improved dhcpcd
> functionality as a part of this review - these could be made subsequently
> if dhcpcd is committed. For now it would just be the same functionality as
> if you used the net/dhcpcd port.

DHCP is one of the most exposed attack surfaces in existence.  We expect
it to take input from explicitly untrustworthy networks and perform
actions as root.  It might be OK to import this as a stopgap only
supporting IPv6, but without capsicum or privilege separation (as noted
elsewhere in the thread) it seems unlikely to be a good idea enable it
by default or replace the existing IPv4 dhclient.

-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191011/ed3d1ace/attachment.sig>