Re: Disabling IPV6_V6ONLY a bad idea?

To: tech-net%netbsd.org@localhost
Subject: Re: Disabling IPV6_V6ONLY a bad idea?
From: David Laight <david%l8s.co.uk@localhost>
Date: Fri, 20 Apr 2012 08:35:42 +0100

On Fri, Apr 20, 2012 at 01:25:33AM +0200, Joerg Sonnenberger wrote:
> On Fri, Apr 20, 2012 at 01:16:23AM +0200, Jan Danielsson wrote:
> >    Should I be worried about disabling IPV6_V6ONLY on a socket?
> 
> Not necessarily. Basically, as long as you don't do address based access
> control, it is perfectly fine to disable it. This includes issues like
> "only connections from localhost are allowed".

You can do 'address based access control' with it enabled - provided that
the software understands that it will see IPv4 addresses embedded
inside IPv6 ones.

There is also the problem of binding listeners to specific local
addresses - where the driver has to DTRT when an IPv6 mapped IPv4
address bind is attempted (ie not generate another method of intercepting
inward calls).
This is relatively easy provided there is a single TCP/IP stack
that supports both IPv4 and IPv6 - but rather more difficult for
some early implementations of IPv6.

Disabling IPV6_ONLY makes it a lot simpler to listen for inward
calls on both IPv4 and IPv6 since only a single socket is needed.

        David

-- 
David Laight: david%l8s.co.uk@localhost

Follow-Ups:
- Re: Disabling IPV6_V6ONLY a bad idea?
  - From: Ken Hornstein

References:
- Disabling IPV6_V6ONLY a bad idea?
  - From: Jan Danielsson
- Re: Disabling IPV6_V6ONLY a bad idea?
  - From: Joerg Sonnenberger

Prev by Date: Re: BNX driver problem when mbuf clusters run out
Next by Date: Re: BNX driver problem when mbuf clusters run out
Previous by Thread: Re: Disabling IPV6_V6ONLY a bad idea?
Next by Thread: Re: Disabling IPV6_V6ONLY a bad idea?
Indexes:

Home | Main Index | Thread Index | Old Index