> On 2016/05/17 15:01, Ted Unangst wrote: > > Theo de Raadt wrote: > > > From the beginning we were promised that modifying a program to use > > > IPv6 only required opening a 2nd socket using AF_INET6. Then the > > > recipes grew, and grew and grew. It went astray. > > > > > > 10,000 programs don't follow the practice. If everyone has to follow > > > this practice, then the practice is wrong. If basically noone follows > > > the practice, then the practice is also wrong. > > > > I can't disagree with this. > > Current real world is, if you have software which uses IP-based > restrictions or configuration, on many OS you either set IPV6_V6ONLY > so you only receive real v6 traffic on that socket, or you deal with > expanding v4 to the v6-mapped format yourself because otherwise you > don't have a clue what you're going to get from the kernel.
Oh the situation is much worse than that. Almost assuredly your host will filter traffic differently than the next router. So the traffic is V6 in one direction, but V4 in the other direction. The packet filter states will not match. If the filters in the middle are adjusted to pay attention to the v4-inside-v6 traffic, then of course someone playing with the network will send confusing traffic of the other kind. Forget about filtering such traffic correctly. The IETF made a mistake. Noone had the balls to undo this. Fast forward 20 years and the trap remains. The argument is we should fix ntpd. How do we make 10,000+ pieces of software follow the same rule? We simply don't? That is pretty sad. > Is this a change you want to rely on an OS packager to (know|remember) > to make? Or a maintainer somewhere down the line to fix the patch > rather than delete it when an update causes it to conflict? I don't think we can protect users from their vendors.
