[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Default value of net.ipv6.bindv6only should revert to 0

On Monday 12 April 2010 20:12:36 Russ Allbery wrote:
> Marco is not changing the point.  What Marco describes has been the
> objection that several of us have had with bindv6only=0 from the very
> beginning.  He's just more persistant about continuing to repeat the same
> point when people keep raising the same arguments against it without
> apparently being familiar with the previous discussion.
I am familiar with the previous discussion i had with him.

> The way to fix the bug in the daemon is to always use IPV6_V6ONLY in the
> networking code because no other way of handling listening sockets with a
> dual stack is even remotely sane.
Some daemons do not use dual stack, which actually makes them more efficient 
when running.
Anyway i agree with you, when using dual stack the code must explicitly set 
the ipv6only... the implicit setting can only generate buggy code => the 
actual implicit setting can lead to generate buggy code => it must be changed.
We are only going to make the situation worst.

> Until the daemon is modified to either use IPV6_V6ONLY or to deal with
> IPv4-mapped addresses, it's going to be broken, possibly in
> security-sensitive ways since the incoming IP addresses won't be what it
> expects.  (If, for instance, you've blacklisted a particular IPv4 address,
> suddenly that address gets through without difficulty in an unmodified
> daemon because it's now showing up as an IPv6 address.)  So it's a
> question of what bug do you want to have by default: not listening to IPv4
> addresses when you bind an IPv6 socket, or getting incoming IP addresses
> unexpectedly and strangely transformed?
As above: all the dual stack daemons must set explicitly the IPv6only, 
otherwise it is not going to work as wanted. If some daemon doesn't do that, 
it is buggy and must be fixed. Introducing other bugs is only going to create 
a bigger mess.

> Java assumed you wanted the second bug.  BSD picked the first bug.  We
> have to pick one or the other.  Neither choice is attractive.
No, java assumed the *POSIX default behaviour*. Why is the word *default* so 
difficult to understand?
It means: "an option that is selected automatically unless an alternative is 
specified".

> Just about every daemon I've ever seen had this problem in its original
> conversion to IPv6 support.  I've fixed it in all of my code by using
> IPV6_V6ONLY as soon as I became aware of its existence.
Because you didn't bother to read the documentation of the system calls.
I wouldn't assume everyone is going to behave like that.
Be specific and tell me the name of one daemon i can download the source and 
see the problem please.

Bye
-- 
Salvo Tomaselli
Reply to: