Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I've consulted ip6(4) but I'm still unclear on exactly why they break with the rfc here. Do you know where they detail the security implications?


     >However, RFC2553 does not define the ordering constraint between calls to
     bind(2), nor how IPv4 TCP/UDP port	numbers	and IPv6 TCP/UDP port numbers
     relate to each other (should they be integrated or	separated).  Imple-
     mented behavior is	very different from kernel to kernel.  Therefore, it
     is	unwise to rely too much	upon the behavior of AF_INET6 wildcard bind
     sockets.  It is recommended to listen to two sockets, one for AF_INET and
     another for AF_INET6, when	you would like to accept both IPv4 and IPv6
     traffic.

     >It should also be noted that malicious parties can	take advantage of the
     complexity	presented above, and are able to bypass	access control,	if the
     target node routes	IPv4 traffic to	AF_INET6 socket.  Users	are advised to
     take care handling	connections from IPv4 mapped address to	AF_INET6 sock-
     ets.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: