tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: net.inet6.ip6.v6only

Edgar Fuß <> writes:

> I have some questions on net.inet6.ip6.v6only.
> First: What does it mean, exactly?  My best guess is "a socket created
> with a domain argument of PF_INET6 will not conect() to a RFC 3493
> v6-mapped v4 address".

No, it's primarily (in practice anyway) about incoming connections.

My understanding is that there is optional support for mapped addresses,
where an incoming v4 connection will match a v6 socket and present a v6
address of the v4-mapped variety.

> Second: What's the rationale behind the default being 1?

mapped addresses are confusing, which is a security issue.  Someone who
wishes to block v4 connections with an acl has to extend the acl to
cover the mapped addresses, and things like that.

> Third: What's the drawback (or what are the security implications) of
> setting the knob to 0, i.e. enabling mapped addresses? My impression
> is that neither squid nor lighttpd will, on a host with non-local v6
> adresses, work correctly without because they (on a v6 host) will only
> create PF_INET6 sockets and then try to connect to v6-mapped v4
> adresses.
If so, they are buggy.  Best practice is for programs to have a v4 and a
v6 socket and do things in parallel.  That's how almost everything works
now (apache, dovecot, postfix, ntpd, named, inetd/sshd are examples that
come to mind quickly).

Attachment: pgpzVagybKwaK.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index