Subject: Re: I don't understand the IPV4/IPV6 issue
To: Jonathan Neill <TYR124840@tyler.net>
From: Bill Studenmund <wrstuden@netbsd.org>
List: current-users
Date: 10/29/2003 23:23:15
--qLni7iB6Dl8qUSwk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Oct 29, 2003 at 08:28:36PM -0600, Jonathan Neill wrote:
> Why is there such trouble with IPV6 sockets and mapped IPV4 addresses?
> (255.255.xxx.xxx.xxx.xxx, right?) Seems to me it should work either
> completely or not at all. Is it simply an implementation bug, or is there
> something fundamentally wrong with current IPV6 the way it handles this?
>=20
> Anyone that cares to satisfy my curiosity has my thanks. =3D]
As I understand it, there are two classes of concerns.
The first is that application writers won't understand the mapping when=20
writing access control filters. If you have a configuration for a given=20
IPv4 address, you need to catch both the IPv4 version of that address (the=
=20
normal stuff) _and_ the IPv6 mirror. You have to do that on both the=20
source and destination addresses. While good examples could help folks do=
=20
it right, we don't have that.
The second concern is that our stacks use what's called the weak host
model (if I understand it right). That means that packets can come in on
any interface for any address. An example of where this would crop up is
say you have a service that runs IPv4-only, and you want to partition it
off to one network. So you give it an IPv4 address on just that net (on
your server which is also a router), and you don't let your other IPv4
nets know about (route to) that net. And you set up filters so that other=
=20
boxes can't use IPv4 to get to your server.
Well, with the v6/v4 stuff, an IPv6 machine on one of your other nets=20
could connect to the V6 version of the v4 address, and your kernel would=20
happily make the connection.
Yes, you can set up rules to forbid this, but it takes more work, and=20
there aren't good examples of it.
Oh, and as a third concern, in the v6-connectivity-connecting-to-local-v4-=
=20
service case, say you have a v4 service that doesn't understand v6.
When a v6 client connects and the v6/v4 mapping happens in your box, I=20
think the v4-only server will get back v6 addresses when it asks for the=20
peer's address. It won't understand them, so who knows what will happen=20
when it tries to apply ACLs. ;-)
I think all of the concerns with the v6 mapping of v4 addresses can be=20
addressed with good filter writing. However I think examples of how to do=
=20
this are severely lacking.
Take care,
Bill
--qLni7iB6Dl8qUSwk
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iD8DBQE/oLxjWz+3JHUci9cRAlrSAKCLFbSS/G38Mo7ebzCcydL3D5McFQCdGnk7
I7C4Oj5PZtRxKEW//yT1Ims=
=ilzZ
-----END PGP SIGNATURE-----
--qLni7iB6Dl8qUSwk--