Edgar Fuß <ef%math.uni-bonn.de@localhost> writes: > I have some questions on net.inet6.ip6.v6only. > > First: What does it mean, exactly? My best guess is "a socket created > with a domain argument of PF_INET6 will not conect() to a RFC 3493 > v6-mapped v4 address". No, it's primarily (in practice anyway) about incoming connections. My understanding is that there is optional support for mapped addresses, where an incoming v4 connection will match a v6 socket and present a v6 address of the v4-mapped variety. > Second: What's the rationale behind the default being 1? mapped addresses are confusing, which is a security issue. Someone who wishes to block v4 connections with an acl has to extend the acl to cover the mapped addresses, and things like that. > Third: What's the drawback (or what are the security implications) of > setting the knob to 0, i.e. enabling mapped addresses? My impression > is that neither squid nor lighttpd will, on a host with non-local v6 > adresses, work correctly without because they (on a v6 host) will only > create PF_INET6 sockets and then try to connect to v6-mapped v4 > adresses. If so, they are buggy. Best practice is for programs to have a v4 and a v6 socket and do things in parallel. That's how almost everything works now (apache, dovecot, postfix, ntpd, named, inetd/sshd are examples that come to mind quickly).
Attachment:
pgpzVagybKwaK.pgp
Description: PGP signature