Discussion:
Disabling IPV6_V6ONLY a bad idea?
(too old to reply)
Jan Danielsson
2012-04-19 23:16:23 UTC
Permalink
Hello,

Should I be worried about disabling IPV6_V6ONLY on a socket? The fact
that it's enabled by default made me curious enough to try some more or
less creative Google searches. Some of the results are along the line of:

- "The option was for a period of migration, which was supposed to
happen ten years ago.".
- "Disabling IPv6_V6ONLY killed my cat!" (i.e. over-the-top
non-specific security concerns).
- "It doesn't work properly on most platforms."

Outdated blogs/articles? Are there any compelling not to use
IPv4-on-IPv6, and instead bind to two separate ports?
--
Kind regards,
Jan Danielsson


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Joerg Sonnenberger
2012-04-19 23:25:33 UTC
Permalink
Post by Jan Danielsson
Should I be worried about disabling IPV6_V6ONLY on a socket?
Not necessarily. Basically, as long as you don't do address based access
control, it is perfectly fine to disable it. This includes issues like
"only connections from localhost are allowed".

Joerg

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Matthew Mondor
2012-04-19 23:34:56 UTC
Permalink
On Fri, 20 Apr 2012 01:16:23 +0200
Post by Jan Danielsson
Hello,
Should I be worried about disabling IPV6_V6ONLY on a socket? The fact
that it's enabled by default made me curious enough to try some more or
- "The option was for a period of migration, which was supposed to
happen ten years ago.".
- "Disabling IPv6_V6ONLY killed my cat!" (i.e. over-the-top
non-specific security concerns).
- "It doesn't work properly on most platforms."
Outdated blogs/articles? Are there any compelling not to use
IPv4-on-IPv6, and instead bind to two separate ports?
You might be interested in reading:
http://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02
--
Matt

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
David Laight
2012-04-20 07:35:42 UTC
Permalink
Post by Joerg Sonnenberger
Post by Jan Danielsson
Should I be worried about disabling IPV6_V6ONLY on a socket?
Not necessarily. Basically, as long as you don't do address based access
control, it is perfectly fine to disable it. This includes issues like
"only connections from localhost are allowed".
You can do 'address based access control' with it enabled - provided that
the software understands that it will see IPv4 addresses embedded
inside IPv6 ones.

There is also the problem of binding listeners to specific local
addresses - where the driver has to DTRT when an IPv6 mapped IPv4
address bind is attempted (ie not generate another method of intercepting
inward calls).
This is relatively easy provided there is a single TCP/IP stack
that supports both IPv4 and IPv6 - but rather more difficult for
some early implementations of IPv6.

Disabling IPV6_ONLY makes it a lot simpler to listen for inward
calls on both IPv4 and IPv6 since only a single socket is needed.

David
--
David Laight: ***@l8s.co.uk

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Ken Hornstein
2012-04-20 14:29:46 UTC
Permalink
Post by David Laight
Disabling IPV6_ONLY makes it a lot simpler to listen for inward
calls on both IPv4 and IPv6 since only a single socket is needed.
I think that depends on your application ... I found myself special-casing
the IPv4-address-in-IPv6 case a lot when I had a single socket. Having
two sockets was just easier because I knew that a IPv6 socket was IPv6,
no exceptions. Handling multiple sockets for me wasn't an issue; that
code has been around forever.

I think the best answer is, "It depends on your application; you should
make the decision based on what you need to do". I can see cases where
disabling IPV6_ONLY would make things easier; in my specific case it made
things harder.

--Ken

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Matthew Mondor
2012-04-20 19:37:54 UTC
Permalink
On Fri, 20 Apr 2012 10:29:46 -0400
Post by Ken Hornstein
I think that depends on your application ... I found myself special-casing
the IPv4-address-in-IPv6 case a lot when I had a single socket. Having
two sockets was just easier because I knew that a IPv6 socket was IPv6,
no exceptions. Handling multiple sockets for me wasn't an issue; that
code has been around forever.
I agree, I also simply bind two sockets in my daemons. As you say,
this is already needed to bind to specific, multiple interfaces...
--
Matt

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...