[ds6-devel] no more objections

Mauro Tortonesi mauro@deepspace6.net
Mon Dec 30 23:03:54 2002

Previous message: [ds6-devel] no more objections
Next message: [ds6-devel] no more objections
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 31 Dec 2002, Chris Leishman wrote:

> On Tuesday, December 31, 2002, at 12:27 AM, Mauro Tortonesi wrote:
>
> > chris,
> >
> > 	i was thinking to the double binding stuff we talked about
> > yesterday. i think the best behaviour is:
> >
> > - always reorder the res struct to have ipv6 sockaddrs first
> > - inside the for loop:
> >   1) check that getaddrinfo does not return ipv4-mapped addresses
> >   2) skip if family != PF_INET and family != PF_INET6
> >   3) use IPV6_V6ONLY if the system supports it
> >   4) warn if cannot bind to ptr->ai_addr
> >
> > we can't do much more than this without complicating too much the
> > design
> > of nc6 (e.g. including checks for double binding and/or to discover if
> > a
> > particular addressed is already bound to another process).
> >
> > so, i have no more objections to remove the functions is_ipv6_enabled
> > and
> > is_double_binding_sane. i will do this tomorrow, if you agree.
>
>
> I'm not sure what the point of 1) and 2) is.  Do we really care if
> getaddrinfo returns IPv4 mapped addresses?

yes. for security reasons, we should drop IPv4 mapped addresses returned
by getaddrinfo. see draft-itojun-

> And do we really need to
> limit it to only PF_INET and PF_INET6 - there's no really need to loose
> the AF independence of the code when all we really need to limit is the
> sock types that we can support.

oops, i wanted to say:

  2) skip if ptr->socktype != SOCK_STREAM and ptr->socktype != SOCK_DGRAM

you've already added this check to the code.

> Did you see the algorithm I posted?

yes. it seems rather good.

> On systems where IPV6_V6ONLY is not defined or the setsockopt with it
> fails:
> 	- Keep track of whether an IPv6 socket has been bound.
> 	- If a bind to IPv4 fails with EADDRINUSE and an IPv6 socket
> 	  has been bound, then just ignore the error.

good.

> I would probably extend this to only tracking IPv6 binds to
> IN6_ADDR_ANY, and only ignoring errors from IPv4 binds to IN_ADDR_ANY.

you can do this only if you discard ipv4-mapped addresses. provided we do
this, your algorithm should work rather well.

-- 
Aequam memento rebus in arduis servare mentem...

Mauro Tortonesi			mauro@deepspace6.net
				mauro@ferrara.linux.it
Deep Space 6 - IPv6 on Linux	http://www.deepspace6.net
Ferrara Linux Users Group	http://www.ferrara.linux.it

Previous message: [ds6-devel] no more objections
Next message: [ds6-devel] no more objections
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the ds6-devel mailing list