Re: Default value of net.ipv6.bindv6only should revert to 0

[George Danchev <danchev@spnet.net>]

Salvo Tomaselli writes:
> On Monday 12 April 2010 20:12:36 Russ Allbery wrote:
> > Marco is not changing the point.  What Marco describes has been the
> > objection that several of us have had with bindv6only=0 from the very
> > beginning.  He's just more persistant about continuing to repeat the same
> > point when people keep raising the same arguments against it without
> > apparently being familiar with the previous discussion.
> 
> I am familiar with the previous discussion i had with him.
> 
> > The way to fix the bug in the daemon is to always use IPV6_V6ONLY in the
> > networking code because no other way of handling listening sockets with a
> > dual stack is even remotely sane.
> 
> Some daemons do not use dual stack, which actually makes them more
>  efficient when running.
> Anyway i agree with you, when using dual stack the code must explicitly set
> the ipv6only... the implicit setting can only generate buggy code => the
> actual implicit setting can lead to generate buggy code => it must be
>  changed. We are only going to make the situation worst.
> 
> > Until the daemon is modified to either use IPV6_V6ONLY or to deal with
> > IPv4-mapped addresses, it's going to be broken, possibly in
> > security-sensitive ways since the incoming IP addresses won't be what it
> > expects.  (If, for instance, you've blacklisted a particular IPv4
> > address, suddenly that address gets through without difficulty in an
> > unmodified daemon because it's now showing up as an IPv6 address.)  So
> > it's a question of what bug do you want to have by default: not listening
> > to IPv4 addresses when you bind an IPv6 socket, or getting incoming IP
> > addresses unexpectedly and strangely transformed?
> 
> As above: all the dual stack daemons must set explicitly the IPv6only,
> otherwise it is not going to work as wanted. If some daemon doesn't do
>  that, it is buggy and must be fixed. Introducing other bugs is only going
>  to create a bigger mess.
> 
> > Java assumed you wanted the second bug.  BSD picked the first bug.  We
> > have to pick one or the other.  Neither choice is attractive.
> 
> No, java assumed the *POSIX default behaviour*. Why is the word *default*
>  so difficult to understand?
> It means: "an option that is selected automatically unless an alternative
>  is specified".

You are still missing the point (yes, the java one included): having always an 
IPv6 socket created on dual-stack systems regardless from the desired address 
family and trying to bind such a socket to an IPv4 address (exactly what java 
currently does) is broken by design, lame and just plain stupid and is being 
prevented on any sane system, as they do on the there BSDes to name a few. In 
java itself, you can switch between an exclusive IPv6 and an exclusive IPv4 
stack, by changing whatever silly property, but this approach is simply 
ironic, regardless how "efficient" it might look to you.
 
-- 
pub 4096R/0E4BD0AB <people.fccf.net/danchev/key pgp.mit.edu>