Hello!
> > Of course. Socket bound to IN6ADDR_ANY listens for IPv4 as well,
> > so that no more bindings to this port are allowed more.
>
> Is this the desired behavior?
To my opinion, it is not desired behavior. 8)
But:
> It opens up some pretty large security
> holes. Any sort of IPv4 access control is bypassed when IPv4-mapped IPv6
> addresses are used.
Sorry... You have said something strange. Think more.
Setting policy of kind, proposed by you, by default is
evident security hole.
BTW, your reference to KAME in this context sounds interesting,
port stealing hole is one of the largest flaws in 4.4BSD API. 8)
> The current thinking is that IPv6 sockets should not accept IPv4
> connections by default.
I am old unlucky fighter against brain damaged transition mechanism,
combining IPv6 and IPv4 to one port space. 8)
But the thing, which you have just said is something doubly weird
and would break all currently existing applications.
Hierarchical bind() never existed. If applications wants
to bind to specific address, it binds to specific address,
be it IPv6 or IPv4. If you listen, you listen everything.
Provided we follow paradigm of sharing port spaces
between IPv4 and IPv6, it is not clever idea to break this simple rule.
> We're running into Linux IPv6 problems in BIND 9 development related to
> this. It works better on pretty much every other OS we're testing.
I apologize, but if it works differently on Linux, it is simply broken. 8)
Alexey
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Jun 15 2000 - 21:00:35 EST