On Tue, 13 Jun 2000 kuznet@ms2.inr.ac.ru wrote:
> Hello!
>
> > Call to bind() for INADDR_ANY port 1234 fails if IN6ADDR_ANY_INIT
> > port 1234 has already been bound. Also the reverse is true.
>
> Of course. Socket bound to IN6ADDR_ANY listens for IPv4 as well,
> so that no more bindings to this port are allowed more.
Is this the desired behavior? It opens up some pretty large security
holes. Any sort of IPv4 access control is bypassed when IPv4-mapped IPv6
addresses are used. Also, fundamentally, opening a socket to accept IPv6
connections on all interfaces shouldn't accept IPv4 connections. If the
caller wants IPv4 connections, it shouldn't ask for INADDR6_ANY.
The current thinking is that IPv6 sockets should not accept IPv4
connections by default. See:
http://playground.iijlab.net/i-d/draft-itojun-ipv6-transition-abuse-00a.txt
http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION
ftp.isc.org:/isc/bind9/9.0.0b3/bind-9.0.0b3.tar.gz - doc/misc/ipv6
KAME IPv6 on the various *BSD platforms do not accept IPv4 on IPv6 sockets
by default, but the behavior is configurable. Since some of the KAME
developers are working on the IPv6 specifications also, it would make
sense for Linux to track these changes.
Older versions of KAME allow specific IPv4 bindings after an INADDR6_ANY
socket has been opened. This is also better than the current Linux
behavior, but still has the problem that specific IPv4 addresses can't be
disabled if an IPv6 INADDR6_ANY socket is open.
We're running into Linux IPv6 problems in BIND 9 development related to
this. It works better on pretty much every other OS we're testing.
Brian
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Jun 15 2000 - 21:00:32 EST