From owner-freebsd-net@FreeBSD.ORG Fri Jun 28 22:30:23 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9F35ED14 for ; Fri, 28 Jun 2013 22:30:23 +0000 (UTC) (envelope-from feld@feld.me) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id 7566119F4 for ; Fri, 28 Jun 2013 22:30:23 +0000 (UTC) Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id C4C1720EBD for ; Fri, 28 Jun 2013 18:30:22 -0400 (EDT) Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160]) by compute2.internal (MEProxy); Fri, 28 Jun 2013 18:30:22 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h= content-type:to:date:subject:mime-version :content-transfer-encoding:from:message-id; s=mesmtp; bh=wxpZ6MR NE9msAcEdyPYQLbbrA+c=; b=bPOukDWkI005xw2y7Q4/z2tb/OtiFnDqRVG8W4C TIbocDKn+IIQEk+KnAg9yoWBsjt7beHojEEG5+vs/7y5SPVxT3Xi+dr+8xteEdWr vquKAKeJvTkcPsq126rsBEez1jalrot10YJB7L9XLNjGDpcx9DA+fx1wOdIDDgys /rZ8= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:to:date:subject:mime-version :content-transfer-encoding:from:message-id; s=smtpout; bh=wxpZ6M RNE9msAcEdyPYQLbbrA+c=; b=T7hoUNc/6SHzDkuLzvlD6E5Rnd4GvBI45GGU2y 7aaAJY8ajgRInlhapHIlk2wQArJQd+5a5/eB+d6XLkZhWFIfz17nbs7k8JtJHqKs NGqxjvbi4lq0gnwNRcofxExVS1Dssb+X+BIbw0cfC+rwtFwH5dl07hESK6gulFnU 5MQQI= X-Sasl-enc: 610dWd72Z7EafbefuNicj/Q9YqY8fDKr/0hUXnw2y/hU 1372458622 Received: from tech304.office.supranet.net (unknown [66.170.8.18]) by mail.messagingengine.com (Postfix) with ESMTPA id 9077BC00E83 for ; Fri, 28 Jun 2013 18:30:22 -0400 (EDT) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes To: freebsd-net@freebsd.org Date: Fri, 28 Jun 2013 17:30:21 -0500 Subject: Making net.inet6.ip6.v6only=0 default MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Mark Felder" Message-ID: User-Agent: Opera Mail/12.15 (FreeBSD) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jun 2013 22:30:23 -0000 After a brief talk on IRC I figured I'd get some feelers out there about this sysctl which seems to have a long history. Background: I recently updated the net/rwhoisd port here on FreeBSD with a patch from the kind hrs@ who fixed it so it binds on both ipv4 AND ipv6 when it is built with ipv6 (default since last summer in the ports tree). I sent the patch upstream, and I received feedback from a list user that the real problem is FreeBSD's lack of compliance and we really should change net.inet6.ip6.v6only=0 to fix it. Now, originally I was just going to add an install message with the port to change that sysctl, but I was told it is dangerous and I wasn't sure of the consequences. I'm quite familiar with ipv6 networking, but not specifically this setting and its consequences among software out there and I didn't want unknown behavior on my production servers. The patch hrs@ sent me seemed a better solution at the time. Later after a bit more digging and discussion I've come to learn that the security aspect may simply be "unexpected behavior -- the binding to ipv6 sockets and endusers not realizing it, thus creating a security hole for environments with only an ipv4 firewall". We ship a dual stack firewall by default, and now since FreeBSD 9 we have the rc.conf setting ipv6_activate_all_interfaces="YES" which seems sufficient to mitigate this; the user would have to know they're enabling ipv6 and what its consequences could be. So I guess the question is: what do we do? It looks like we're in violation of both RFC 3493, Section 5.3 and POSIX 2008, Volume 2, Section 2.10.20*. *I read the RFC, but haven't looked up the POSIX spec yet. Both were listed in a forum post from 2010.