Subject: Re: HEADS UP! Default value of ip6_v6only changed
To: None <wsimpson@greendragon.com>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
List: current-users
Date: 10/29/2003 14:26:19
> NetBSD OS PMC wrote:
> >
> > The default value of ip6_v6only (sysctl net.inet6.ip6.v6only) has
> > been changed. The new value brings us closer in line with current
> > RFC-defined behavior and practices.
> >
> > Itojun still has significant concerns about the new default behavior.
> > His concerns have been well-documented in
> > ftp://ftp.itojun.org/pub/paper/draft-cmetz-v6ops-v4mapped-api-harmful-00.txt
as noted above, i'm still very worried about the change. the change
could open up vulnerability (mostly access control mistake) on the
multiple userland program which supports IPv6. i'm worried because
it would scare people and delay deployment of IPv6.
> The draft is well founded. I strongly opposed the translation/mapping
> of IPv4 into IPv6 a decade ago. There was a whole working group
> devoted to the project, and AFAIK, the WG failed interoperability and
> was disbanded.
>
> The stack should use IPv4 or IPv6 on a per host basis, as indicated by
> its DNS *and* the availability of IPv6 infrastructure, but not both
> concurrently (for a host). Of course, there could be IPv4 and IPv6
> concurrently (dual stack approach).
>
> Craig Metz is a sharp fellow, and has been working on IPv6
> implementation since the beginning. We all respect itojun (of course).
>
> RFCs are not gospel. RFC-2133/2553/3493 has evolved over time, and is
> "Informational". The new IPV6_V6ONLY is only in the most recent
> version, and the default value of "off" is manifestly wrong.
IPV6_V6ONLY and its default value was discussed in a design group for
2553bis. many of the people there wore vendor hat, and they were
reluctant of changing the OS behavior, hence they refused to change.
some (including me) suggested the default value be "implementation
depenedent", but the editor of 2553bis ignored it.
> Please leave the default value as "on", as recommended by
> v4mapped-api-harmful.
ditto.
btw, freebsd changed the value from "off" to "on" between
4.x to 5.x to secure itself from the possible vulnerabilities.
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/in6_proto.c.diff?r1=1.17&r2=1.18
openbsd does not implement IPv4 mapped address behavior at all.
why netbsd has to make the backward change, i.e. secure behavior to
insecure behavior? portable programs cope with the issue already
(since MS WinXP is basically "v6only=1").
itojun