Date: Fri, 28 Jun 2013 17:30:21 -0500 From: "Mark Felder" <feld@feld.me> To: freebsd-net@freebsd.org Subject: Making net.inet6.ip6.v6only=0 default Message-ID: <op.wzet4vr234t2sn@tech304.office.supranet.net>
next in thread | raw e-mail | index | archive | help
After a brief talk on IRC I figured I'd get some feelers out there about this sysctl which seems to have a long history. Background: I recently updated the net/rwhoisd port here on FreeBSD with a patch from the kind hrs@ who fixed it so it binds on both ipv4 AND ipv6 when it is built with ipv6 (default since last summer in the ports tree). I sent the patch upstream, and I received feedback from a list user that the real problem is FreeBSD's lack of compliance and we really should change net.inet6.ip6.v6only=0 to fix it. Now, originally I was just going to add an install message with the port to change that sysctl, but I was told it is dangerous and I wasn't sure of the consequences. I'm quite familiar with ipv6 networking, but not specifically this setting and its consequences among software out there and I didn't want unknown behavior on my production servers. The patch hrs@ sent me seemed a better solution at the time. Later after a bit more digging and discussion I've come to learn that the security aspect may simply be "unexpected behavior -- the binding to ipv6 sockets and endusers not realizing it, thus creating a security hole for environments with only an ipv4 firewall". We ship a dual stack firewall by default, and now since FreeBSD 9 we have the rc.conf setting ipv6_activate_all_interfaces="YES" which seems sufficient to mitigate this; the user would have to know they're enabling ipv6 and what its consequences could be. So I guess the question is: what do we do? It looks like we're in violation of both RFC 3493, Section 5.3 and POSIX 2008, Volume 2, Section 2.10.20*. *I read the RFC, but haven't looked up the POSIX spec yet. Both were listed in a forum post from 2010.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.wzet4vr234t2sn>