[finger on nose] I'm 27 and I wasn't around when RFC2553 was being hammered out, nor was I around to object to it's implemenation caveats in FreeBSD.
I'm pasting this man page excerpt below only to communicate what the FreeBSD kernel developers have documented, not to take a side. http://www.freebsd.org/cgi/man.cgi?query=inet6&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html --------------------------------------------- Interaction between IPv4/v6 sockets: By default, FreeBSD does not route IPv4 traffic to AF_INET6 sockets. The default behavior intentionally violates RFC2553 for security reasons. Listen to two sockets if you want to accept both IPv4 and IPv6 traffic. IPv4 traffic may be routed with certain per-socket/per-node configuration, however, it is not recommended to do so. Consult ip6(4) for details. The behavior of AF_INET6 TCP/UDP socket is documented in RFC2553. Basi- cally, it says this: o A specific bind on an AF_INET6 socket (bind(2) with an address specified) should accept IPv6 traffic to that address only. o If you perform a wildcard bind on an AF_INET6 socket (bind(2) to IPv6 address ::), and there is no wildcard bind AF_INET socket on that TCP/UDP port, IPv6 traffic as well as IPv4 traffic should be routed to that AF_INET6 socket. IPv4 traffic should be seen as if it came from an IPv6 address like ::ffff:10.1.1.1. This is called an IPv4 mapped address. o If there are both a wildcard bind AF_INET socket and a wildcard bind AF_INET6 socket on one TCP/UDP port, they should behave separately. IPv4 traffic should be routed to the AF_INET socket and IPv6 should be routed to the AF_INET6 socket. However, RFC2553 does not define the ordering constraint between calls to bind(2), nor how IPv4 TCP/UDP port numbers and IPv6 TCP/UDP port numbers relate to each other (should they be integrated or separated). Implemented behavior is very different from kernel to kernel. Therefore, it is unwise to rely too much upon the behavior of AF_INET6 wildcard bind sockets. It is recommended to listen to two sockets, one for AF_INET and another for AF_INET6, when you would like to accept both IPv4 and IPv6 traffic. It should also be noted that malicious parties can take advantage of the complexity presented above, and are able to bypass access control, if the target node routes IPv4 traffic to AF_INET6 socket. Users are advised to take care handling connections from IPv4 mapped address to AF_INET6 sockets. ~BAS ------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
