After a brief talk on IRC I figured I'd get some feelers out there about
this sysctl which seems to have a long history.
Background: I recently updated the net/rwhoisd port here on FreeBSD with a
patch from the kind hrs@ who fixed it so it binds on both ipv4 AND ipv6
when it is built with ipv6 (default since last summer in the ports tree).
I sent the patch upstream, and I received feedback from a list user that
the real problem is FreeBSD's lack of compliance and we really should
change net.inet6.ip6.v6only=0 to fix it.
Now, originally I was just going to add an install message with the port
to change that sysctl, but I was told it is dangerous and I wasn't sure of
the consequences. I'm quite familiar with ipv6 networking, but not
specifically this setting and its consequences among software out there
and I didn't want unknown behavior on my production servers. The patch
hrs@ sent me seemed a better solution at the time.
Later after a bit more digging and discussion I've come to learn that the
security aspect may simply be "unexpected behavior -- the binding to ipv6
sockets and endusers not realizing it, thus creating a security hole for
environments with only an ipv4 firewall".
We ship a dual stack firewall by default, and now since FreeBSD 9 we have
the rc.conf setting ipv6_activate_all_interfaces="YES" which seems
sufficient to mitigate this; the user would have to know they're enabling
ipv6 and what its consequences could be.
So I guess the question is: what do we do? It looks like we're in
violation of both RFC 3493, Section 5.3 and POSIX 2008, Volume 2, Section
2.10.20*.
*I read the RFC, but haven't looked up the POSIX spec yet. Both were
listed in a forum post from 2010.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
