Brian A. Seklecki writes:
[finger on nose] I'm 27 and I wasn't around when RFC2553 was being hammered out, nor was I around to object to it's implemenation caveats in FreeBSD. I'm pasting this man page excerpt below only to communicate what the FreeBSD kernel developers have documented, not to take a side. http://www.freebsd.org/cgi/man.cgi?query=inet6&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html
That's something else entirely. You need to track down exactly what that kernel setting does. Nothing below documents it.
---------------------------------------------
Interaction between IPv4/v6 sockets:
By default, FreeBSD does not route IPv4 traffic to AF_INET6 sockets.
The default behavior intentionally violates RFC2553 for security
reasons. Listen to two sockets if you want to accept both IPv4 and IPv6
traffic. IPv4 traffic may be routed with certain per-socket/per-node
configuration, however, it is not recommended to do so. Consult ip6(4)
for details.
The behavior of AF_INET6 TCP/UDP socket is documented in RFC2553. Basi-
cally, it says this:
o A specific bind on an AF_INET6 socket (bind(2) with an address
specified) should accept IPv6 traffic to that address only.
o If you perform a wildcard bind on an AF_INET6 socket (bind(2) to
IPv6 address ::), and there is no wildcard bind AF_INET socket on that
TCP/UDP port, IPv6 traffic as well as IPv4 traffic should be routed
to that AF_INET6 socket. IPv4 traffic should be seen as if it came
from an IPv6 address like ::ffff:10.1.1.1. This is called an IPv4
mapped address.
o If there are both a wildcard bind AF_INET socket and a wildcard
bind AF_INET6 socket on one TCP/UDP port, they should behave
separately. IPv4 traffic should be routed to the AF_INET socket and
IPv6 should be routed to the AF_INET6 socket.
However, RFC2553 does not define the ordering constraint between calls
to bind(2), nor how IPv4 TCP/UDP port numbers and IPv6 TCP/UDP port
numbers relate to each other (should they be integrated or separated).
Implemented behavior is very different from kernel to kernel.
Therefore, it is unwise to rely too much upon the behavior of AF_INET6
wildcard bind sockets. It is recommended to listen to two sockets, one
for AF_INET and another for AF_INET6, when you would like to accept
both IPv4 and IPv6 traffic.
It should also be noted that malicious parties can take advantage of the
complexity presented above, and are able to bypass access control, if
the target node routes IPv4 traffic to AF_INET6 socket. Users are
advised to take care handling connections from IPv4 mapped address to
AF_INET6 sockets.
~BAS
pgpi6ntZ9lVtT.pgp
Description: PGP signature
------------------------------------------------------------------------------ The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
