After reading There’s No Place Like ::1 — Enumerating Local IPv6 networks, I decided to try it out on a couple of my local LANs.  Surprisingly enough, Linux, Solaris, IRIX (yes, IRIX), and Windows do not seem to respond to these (RFC 4620) queries but FreeBSD, iOS, and macOS do.

Here's a segment with a few Apple hosts on it:

(trill:17:07:PST)% ping -c 2 -N name ff02::1%br0
PING ff02::1%br0(ff02::1%br0) 56 data bytes
30 bytes from fe80::223:dfff:fe7f:2678%br0: odyssey; seq=1; ttl=64
26 bytes from fe80::885:e847:e16b:a305%br0: atv; seq=1; ttl=64 (DUP!)
28 bytes from fe80::dea9:4ff:fe8b:dd95%br0: orion; seq=1; ttl=64 (DUP!)
29 bytes from fe80::10b3:60fb:bef0:90d2%br0: lantea; seq=1; ttl=64 (DUP!)
30 bytes from fe80::223:dfff:fe7f:2678%br0: odyssey; seq=2; ttl=64

--- ff02::1%br0 ping statistics ---
2 packets transmitted, 2 received, +3 duplicates, 0% packet loss, time 1001ms

atv is an AppleTV, orion & odyssey run macOS (varying versions), and lantea is an iPod.  Now, here's a segment with a few Linux & Windows hosts:

(starfire:17:13:PST)% ping -c 2 -N name ff02::1%eth3
PING ff02::1%eth3(ff02::1%eth3) 56 data bytes
27 bytes from fe80::200:aaff:feac:f871%eth3: host; seq=1; ttl=64
27 bytes from fe80::200:aaff:feac:f871%eth3: host; seq=2; ttl=64

--- ff02::1%eth3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms

Not much here, except a strange reply from something calling itself host, which is actually my Xerox Phaser 6280 laser printer.

Also, Junos (FreeBSD-based), Cisco IOS, and IOS-XR (QNX-based) seem to ignore these too.

The conclusion here is, of course, that layer 2 is insecure.  But really, who cares about a name if most things run some sort of mDNS agent nowadays, anyway?

New comments are currently disabled for this entry.