[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bindv6only once again

On Mon, 14 Jun 2010, Brian May wrote:
> On 14 June 2010 16:35, Marco d'Itri <md@linux.it> wrote:
> > I believe that now we fixed ~everything which can be fixed, so this
> > leaves us with the proprietary Java implementation which apparently Sun
> > is unwilling to fix.
> Is there software that still requires this proprietary Java
> implementation? I hear openjdk is getting better all the time.

Yes.  OpenJDK doesn't have all the crap required for crypto (or something
like that. All I know is that no Brazilian linux user can file his Income
Tax forms with OpenJDK, we have to use the Sun JDK).

> Is proprietary Java the only reason we should keep having bindv6only=0?

No.  Other software not in Debian will also have the same problem.  Not all
of it will be fixed/fixable.

> For me, bindv6only=0 seems like an ugly hack designed to make existing
> applications work without change. Although all these arguments have
> been hashed out before, no point to repeat them.

Actually, one probably has to mess with /etc/gai.conf to get glibc to not do
anything surprising for IPv6-braindamaged applications (i.e. those who work
partially, maybe depending on the bindv6only setting) if one wants to be
safe from IPv4/IPv6 misbehaviour.

On a dual stack box and any application that does NOT work in ipv6only=1
mode, you likely have to firewall/ACL off IPv4, IPv6, IPv4-mapped-in-IPv6
([::ffff:a.b.c.d]) and IPv6-compatible-IPv4 ([::a.b.c.d]).  Icky.   Expect a
lot of problems over this as IPv6 connectivity becomes more widely used.

BTW, this is a problem MS Windows won't have.  They require explicit IPv6
sockets, so it is basically ipv6only=1 for them.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: