Re: Bindv6only once again

To: debian-devel@lists.debian.org
Subject: Re: Bindv6only once again
From: Jarek Kamiński <jarek@vilo.eu.org>
Date: Sun, 13 Jun 2010 19:26:29 +0200
Message-id: <[🔎] 20100613172629.GA31665@vilo.eu.org>
Mail-followup-to: Jarek Kamiński <jarek@vilo.eu.org>, debian-devel@lists.debian.org
In-reply-to: <eUTy2-3iq-3@gated-at.bofh.it>
References: <eUmC6-5R6-17@gated-at.bofh.it> <eUQqt-7h7-9@gated-at.bofh.it> <eUR3c-80O-9@gated-at.bofh.it> <eURmy-ck-9@gated-at.bofh.it> <eUTeG-2VE-3@gated-at.bofh.it> <eUTol-382-3@gated-at.bofh.it> <eUTy2-3iq-3@gated-at.bofh.it>

Na grupie linux.debian.devel napisałe(a)ś:
> 3) There are potential security bugs if an application black- or
> white-lists IPv4 addresses and someone uses an v6-mapped IPv4 address to
> connect.  (Handwavy and, as far as I've seen, purely hypothetical.

I don't want to blow the discussion once again, but the security issue
is not only hypothetical. When I started using IPv6 I was deeply
disappointed when one daemon started ignoring my acls because of that.
Of course the daemon is fixed now, but the accident proves the risk is
real.

>  Also
> ties the hands of the system administrator, who may want to treat
> v6-mapped addresses differently than the corresponding native IPv4
> address.)

I have no idea why one might want to do that.

Jarek.

Reply to:

Prev by Date: tech-ctte: Default value for net.ipv6.bindv6only sysctl
Next by Date: Re: Autobuilding non-free packages?
Previous by thread: Re: Bindv6only once again
Next by thread: Re: Bindv6only once again
Index(es):
- Date
- Thread