lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 17 Mar 2009 09:47:28 -0400
From:	Vlad Yasevich <vladislav.yasevich@...com>
To:	Felix von Leitner <felix-kernel@...e.de>
CC:	Brian Haley <brian.haley@...com>, netdev@...r.kernel.org
Subject: Re: socket api problem: can't bind an ipv6 socket to ::ffff:0.0.0.0

Felix von Leitner wrote:
>> I don't think this ever worked on Linux, from the very beginning of inet6_bind():
> 
>>         /* Check if the address belongs to the host. */
>>         if (addr_type == IPV6_ADDR_MAPPED) {
>>                 v4addr = addr->sin6_addr.s6_addr32[3];
>>                 if (inet_addr_type(net, v4addr) != RTN_LOCAL) {
>>                         err = -EADDRNOTAVAIL;
>>                         goto out;
>>                 }
>>         } else {
> 
> What is the harm in allowing this?  That way an application ported to
> IPv6 can still bind IPv4-only.  Why would it be legal to bind to a
> specific IPv4 address but not to all IPv4 addresses?
> 
> The specific case is a bittorrent tracker.  The code was ported to IPv6,
> but since there is so much overhead in storing IPv6 addresses you are
> supposed to run two processes, one on the IPv6 address and one on the
> IPv4 address (the IPv4 one then does not have overhead).  The sane way
> to do this is to bind the IPv6 socket to ::ffff:0.0.0.0 then.  Otherwise
> you would need some kind of giant abstraction layer in the application.
> And we specifically added the ipv4 mapped addresses so applications
> would not need to have a giant abstraction layer.

Sorry, I just don't buy this.  You imply that you don't want the overhead
of storing IPv6 addresses, but you still get this with ::ffff:0.0.0.0.
In fact, now your overhead is even worse since ever IPv4 address will be
stored stored and interpreted as IPv6 128 bit address.

If you really care about overhead, run 2 services.  Your IPv6 service
will only track real IPv6 addresses and will reduce you total overhead.

If you don't care about overhead, just bind a single socket to :: and
you will get behavior identical for the ::fff:0.0.0.0 case, but with
the added benefit of tracking real ipv6 addresses as well.

Having written support for ::ffff:0.0.0.0, I've always thought it was
a bastardized case that didn't provide any benefits.  It was like saying:
"I've got IPv6 on my system, but I don't really support it, even though
I pretend that I do."

> 
> Did I mention *BSD and OSX allow this?
> 
>> So are you trying to get IPv4-only behavior out of this socket?  Seems
>> like the wrong way to go about it.
> 
> Why would you say that?

Because that case doesn't provide any benefits.  It only has the drawback that
you have to deal with ipv4-mapped IPv6 addresses witch is the overhead of
the whole thing.

If you are prepared to deal with it, you might as well deal with real ipv6 addresses
at the same time and mitigate your overhead somewhat.

-vlad
> 
> Felix
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ