On 12 May 2004, Jeff Rizzo <[EMAIL PROTECTED]> wrote: > OK, this morning, I now know a lot more about the situation. :) > > It seems that the consensus in the BSD community is that ipv4-mapped > addresses present something of a security risk: > > http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00319.html
OK, thanks for finding that. He is correct that it is hard to get the access control rules correct, and there was a bug in distcc about this in the past. But I don't think the rest of the thread can be called "consensus". It makes sense to me that mapped addresses should not be allowed on the wire. I lean towards mapping in the kernel as the best way to support servers handling both protocols. I don't think that complicating every application is the best way to avoid security problems. > There is a sysctl on the three major BSDs: > > net.inet6.ip6.v6only = 1 > > ... when this is "1", it disables ipv4-mapped addresses. "1" is the default > on OpenBSD, NetBSD, and FreeBSD 5. (FreeBSD4 had it "0"). By my reading, BSD does not comply with the API specification unless you turn that off. The divergence is well-intentioned but still in some senses a bug. Doesn't this break many other applications? I don't think it is the expectation of BSD authors that every application should work with the paranoid sysctls turned on. I do see other people saying "if you want this to work on BSD, you must turn off $foo." > So, for the moment, I can set v6only to 0, but I'd like to explicitly > support both in distccd... is this something you'd consider for inclusion > if I wrote the support? If so, what do you think the best way to > enable it would be? Via autoconf, with some --enable flag? Checking > the sysctl value and acting accordingly? I propose to fix by a FAQ entry telling people to set the sysctl. If you really want to draft a patch I suppose you can. My budget for additional IPv6 complications is pretty low.... > I realize that dual-stack support isn't really high on most folks' priority > lists (hell, it probably shouldn't be as high as it is on *my* list), > but I'm willing to do the work if it will eventually get included... -- Martin
signature.asc
Description: Digital signature
__ distcc mailing list http://distcc.samba.org/ To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/distcc
