Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Expand TLS-Crypt-V2-Key metadata to include IPv6 client IP filtering
In IPv6, Easy-TLS uses simple string matching, not methematical techniques. This is due to the 128bit binary involved. (IPv4 is mathematically evaluated) To match an IPv6 address to a client address, it is recommanded to use a subnet/mask (mask <= 124), not a host/128. Examples: * Correct: 2000:1:2:3::/64, 2000:1:2:3:abcd::/80, 2000::1:2:3:4/128(+) (+: Not recommended) * Incorrect: 2000:1:2:3:abcd::/64, 2000::1:2:3:4/80, :2000:1:2:3:4::/64 Easy-TLS also has some new functions for checking valid IPv4/6: * v4ip: Validate IPv4 address * v6ip: Validate IPv6 address * x6ip: Expand a compressed IPv6 address Examples: * ./easytls v4ip 1.2.3.4/24 * ./easytls v6ip 2000::c0ff:ee/64 * ./easytls x6ip 2000::c0ff:ee/64 Note: When expanding an IPv6 address, easytls also verifies that this is a valid subnet, for use in TLS-Crypt-V2 metadata, according to the rules outlined here. Thus, some valid IPv6 addresses are not valid in Easy-TLS. Signed-off-by: Richard T Bonhomme <[email protected]>
- Loading branch information
b0bab73
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#232