Subject: Re: I don't understand the IPV4/IPV6 issue
To: Jonathan Neill <>
From: Bill Studenmund <>
List: current-users
Date: 10/29/2003 23:23:15
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Oct 29, 2003 at 08:28:36PM -0600, Jonathan Neill wrote:
> Why is there such trouble with IPV6 sockets and mapped IPV4 addresses?
> (, right?) Seems to me it should work either
> completely or not at all. Is it simply an implementation bug, or is there
> something fundamentally wrong with current IPV6 the way it handles this?
> Anyone that cares to satisfy my curiosity has my thanks. =3D]

As I understand it, there are two classes of concerns.

The first is that application writers won't understand the mapping when=20
writing access control filters. If you have a configuration for a given=20
IPv4 address, you need to catch both the IPv4 version of that address (the=
normal stuff) _and_ the IPv6 mirror. You have to do that on both the=20
source and destination addresses. While good examples could help folks do=
it right, we don't have that.

The second concern is that our stacks use what's called the weak host
model (if I understand it right). That means that packets can come in on
any interface for any address. An example of where this would crop up is
say you have a service that runs IPv4-only, and you want to partition it
off to one network. So you give it an IPv4 address on just that net (on
your server which is also a router), and you don't let your other IPv4
nets know about (route to) that net. And you set up filters so that other=
boxes can't use IPv4 to get to your server.

Well, with the v6/v4 stuff, an IPv6 machine on one of your other nets=20
could connect to the V6 version of the v4 address, and your kernel would=20
happily make the connection.

Yes, you can set up rules to forbid this, but it takes more work, and=20
there aren't good examples of it.

Oh, and as a third concern, in the v6-connectivity-connecting-to-local-v4-=
service case, say you have a v4 service that doesn't understand v6.
When a v6 client connects and the v6/v4 mapping happens in your box, I=20
think the v4-only server will get back v6 addresses when it asks for the=20
peer's address. It won't understand them, so who knows what will happen=20
when it tries to apply ACLs. ;-)

I think all of the concerns with the v6 mapping of v4 addresses can be=20
addressed with good filter writing. However I think examples of how to do=
this are severely lacking.

Take care,


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (NetBSD)