tech-net: Re: accepting both ipv4 and v6 connections

Subject: Re: accepting both ipv4 and v6 connections
To: Jeff Rizzo <riz@boogers.sf.ca.us>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-net
Date: 05/12/2004 13:34:25
--KsGdsel6WgEHnImy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, May 12, 2004 at 08:06:07AM -0700, Jeff Rizzo wrote:
> Really bad form to have posted a question that I can now
> answer myself, but I figured the archives deserve an answer.  :)
>=20
> >From what I gather, ipv4-mapped addresses are now disabled by
> default in NetBSD, for security reasons.  (I'm still a little vague
> on what those security reasons are, but they come from folks I trust
> to know what they're talking about)  The old behaviour can
> be reenabled by setting net.inet6.ip6.v6only to 0 with sysctl.
>=20
> Just as a followup question, is the "correct" way to support both
> ipv4 and ipv6 in a case like this to loop over the return
> from getaddrinfo() and bind a listening fd to both :: and 0.0.0.0 ?
> That is, always handle all protocols explicitly?

Not quite. You should create a new socket for each address.

The same security issues that prevent an IPv6 socket from automagically=20
getting v4 traffic prevent mixing v4 and v6 addresses.

There are a number of security issues with the IPv4<->IPv6 automagic=20
conversion, as you indicate you know. The big one I know of that applies=20
to this case (v6 listening socket) is that you have to duplicate any IPv4=
=20
address filtering in IPv6. You also need to duplicate any routing=20
restrictions, as IPv6 traffic to "::a.b.c.d" doesn't use the same routing=
=20
table as IPv4 traffic to "a.b.c.d". :-)

Essentially if you turn on IPv4<->IPv6 automagic and you have a private=20
IPv4 network and global IPv6 connectivity, you've pretty much opened up=20
the IPv4 net to everyone in the IPv6 cloud. So like anyone in the world=20
could get to your payroll database server that you otherwise thought was=20
safe.

While most of these issues can eventually be solved, the current
implementations haven't. So the security folks decided to just
dis-recomend IPv6<->IPv4 magic for now. For now, it's probably the safest=
=20
thing.

Take care,

Bill

--KsGdsel6WgEHnImy
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFAoopRWz+3JHUci9cRArfwAJ0Z6ZbjNRxAUb4glLr72YCdYZ0AbACfbYeD
rl04oraUoxALwypOWoHp+G4=
=Cnhd
-----END PGP SIGNATURE-----

--KsGdsel6WgEHnImy--