Discussion:
net.inet6.ip6.v6only
(too old to reply)
Edgar Fuß
2013-04-18 13:05:53 UTC
Permalink
I have some questions on net.inet6.ip6.v6only.

First: What does it mean, exactly?
My best guess is "a socket created with a domain argument of PF_INET6 will not
conect() to a RFC 3493 v6-mapped v4 address".

Second: What's the rationale behind the default being 1?

Third: What's the drawback (or what are the security implications) of setting
the knob to 0, i.e. enabling mapped addresses? My impression is that neither
squid nor lighttpd will, on a host with non-local v6 adresses, work correctly
without because they (on a v6 host) will only create PF_INET6 sockets and then
try to connect to v6-mapped v4 adresses.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Greg Troxel
2013-04-18 14:36:04 UTC
Permalink
Post by Edgar Fuß
I have some questions on net.inet6.ip6.v6only.
First: What does it mean, exactly? My best guess is "a socket created
with a domain argument of PF_INET6 will not conect() to a RFC 3493
v6-mapped v4 address".
No, it's primarily (in practice anyway) about incoming connections.

My understanding is that there is optional support for mapped addresses,
where an incoming v4 connection will match a v6 socket and present a v6
address of the v4-mapped variety.
Post by Edgar Fuß
Second: What's the rationale behind the default being 1?
mapped addresses are confusing, which is a security issue. Someone who
wishes to block v4 connections with an acl has to extend the acl to
cover the mapped addresses, and things like that.
Post by Edgar Fuß
Third: What's the drawback (or what are the security implications) of
setting the knob to 0, i.e. enabling mapped addresses? My impression
is that neither squid nor lighttpd will, on a host with non-local v6
adresses, work correctly without because they (on a v6 host) will only
create PF_INET6 sockets and then try to connect to v6-mapped v4
adresses.
If so, they are buggy. Best practice is for programs to have a v4 and a
v6 socket and do things in parallel. That's how almost everything works
now (apache, dovecot, postfix, ntpd, named, inetd/sshd are examples that
come to mind quickly).
Joerg Sonnenberger
2013-04-18 15:30:08 UTC
Permalink
Post by Edgar Fuß
Third: What's the drawback (or what are the security implications) of setting
the knob to 0, i.e. enabling mapped addresses? My impression is that neither
squid nor lighttpd will, on a host with non-local v6 adresses, work correctly
without because they (on a v6 host) will only create PF_INET6 sockets and then
try to connect to v6-mapped v4 adresses.
An application that knows how to deal with mapped V4 addresses can
enable it explicitly for a socket.

Joerg

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Edgar Fuß
2013-04-18 15:39:03 UTC
Permalink
Post by Joerg Sonnenberger
An application that knows how to deal with mapped V4 addresses can
enable it explicitly for a socket.
How?

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Greg Troxel
2013-04-18 15:42:04 UTC
Permalink
Post by Joerg Sonnenberger
An application that knows how to deal with mapped V4 addresses can
enable it explicitly for a socket.
How?
man ip6(4)
search for IPV6_V6ONLY

Loading...