On Thu, 12 Jul 2001, Phil Pennock wrote:
> The problem is that the OpenBSD maintainer of the IPv6 code feels that
> IPv6-mapped IPv4 addresses pose a security threat because of the
> potential to really break all kinds of ACLs and create a situation where
> what you don't know really bites you.
I know how tricky it is. I've worked on the code in Exim. There are
several places where it has to check for mapped addresses and take
special action. I can imagine it would be easy to overlook them. (I
probably *did* overlook them until tests showed up problems.)
> Of course, you could take Itojun up on this offer of his:
> i volunteer to rewrite any apps that uses single AF_INET6 socket,
> into multiple socket app using getaddrinfo(3) AI_PASSIVE call.
Exim already has multiple socket support (for listening on n explicitly
identified interfaces). It is not going to be hard to modify it to solve
this problem. I intend to add a #define IPV4_NEEDS_IPV4_SOCKET which
will make it use IPv4 sockets for IPv4 addresses, and use 2 sockets (one
of each type) for listening on "all interfaces".
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
