tech-net: Re: HEADS UP! Default value of ip6

Subject: Re: HEADS UP! Default value of ip6_v6only changed
To: None <tech-net@NetBSD.org, current-users@NetBSD.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-net
Date: 10/28/2003 05:47:12
> 	v6only on/off

> 	what happens to:

> 		v4 only host browses via mozilla to URL
> 			which has V6 and V4 address

> 		v4/6 host browses via mozilla to URL
> 			which has v6 and v4 address

> 		v6 only host browses via mozilla to URL
> 			which has v6 and v4 address

v6only makes no difference in any of these unless mozilla is using a
protocol like non-passive-mode ftp that involves connections back from
the other end, and even then it makes no difference unless mozilla is
exceptionally stupidly written.

See the docs:

sysctl(8) refers to sysctl(3).

sysctl(3) says
             ip6.v6only
                     The variable specifies initial value for IPV6_V6ONLY
                     socket option for AF_INET6 socket.  Please refer to
                     ip6(4) for detail.

ip6(4) says
     IPV6_V6ONLY controls behavior of AF_INET6 wildcard listening socket.
and goes onto explain how it does so (albeit with a grammar
mistake[%]).  Basically, if an incoming v4 connection attempt arrives,
it will match a v6 socket bound to that same port, being presented as a
connect from the corresponding v4-mapped v6 address.

So v6only makes no difference whatever for outgoing connections.  For
incoming connections, it makes a difference if mozilla binds a socket
expecting a v6 connect-back and the server connect-back comes in via v4
(unlikely; why would the server think the client even _has_ a v4
address, if the connect was over v6?), and even then the recent change
matters only if mozilla doesn't explicitly set or clear V6ONLY on the
listening socket according to the semantics it wants.

In my opinion, for what it's worth, the whole issue is a tempest in a
teapot.  There is a specific set of circumstances under which setting
v6only to zero can cause trouble: when you're running a service on v6
port P, with nothing on v4 port P, and the service should not be
accessible to people who can reach you with attempts to talk to v4 port
P - *and* whoever is responsible for keeping the service "private"
(application author, firewall admin, whoever) is unaware of this
danger.  This is a sufficiently contrived circumstance that I think its
chance of occurring is ignorable, certainly no worse than any of the
many other ways that admins who don't really understand the protocols
they're working with can shoot themselves in their feet.

[%] "...as if it was from..." - that's a subjunctive; it needs
    s/was/were.  (While composing this footnote, I also noticed a
    missing "an" after "from".)

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B