From nobody Wed Feb 19 21:18:03 2025 X-Original-To: freebsd-java@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Yyq4N0RDWz5nhrV for ; Wed, 19 Feb 2025 21:18:12 +0000 (UTC) (envelope-from antonfb@hesiod.org) Received: from thalia.hesiod.org (thalia.hesiod.org [IPv6:2001:19f0:ac00:456e:5400:4ff:fefc:a02a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "thalia.hesiod.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Yyq4M1Cj1z3LwP for ; Wed, 19 Feb 2025 21:18:11 +0000 (UTC) (envelope-from antonfb@hesiod.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hesiod.org header.s=Feb25 header.b=HiG9RK2a; dmarc=pass (policy=none) header.from=hesiod.org; spf=pass (mx1.freebsd.org: domain of antonfb@hesiod.org designates 2001:19f0:ac00:456e:5400:4ff:fefc:a02a as permitted sender) smtp.mailfrom=antonfb@hesiod.org Received: from [127.0.0.1] (host-185-160.fastfiber.searanchconnect.org [64.38.185.160] (may be forged)) (authenticated bits=0) by rain.hesiod.org (8.18.1/8.18.1) with ESMTPSA id 51JLI4OX047104 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Wed, 19 Feb 2025 13:18:10 -0800 (PST) (envelope-from antonfb@hesiod.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hesiod.org; s=Feb25; t=1739999890; bh=eHT1aHQG8hXhvuIdu1LKi1EbuLsB3UJ1efWMsYtTaWc=; h=Date:From:To:Subject:In-Reply-To:References; b=HiG9RK2aT0pWRkXG6f28myyPM6UoJA4oaQcFfLlkFm0uTO5vFGuqZ8OWMCZUwvQ7G eDEEcPzl/zzbhyW1bFkpSXgAnJYpP4HsaFflZrYF1o0AyE0zqc0pu9OMdLlwizdbjp Q6Sa0LmZCkU4S+2F/JVc/46jGaXpVQtonBkijyp+qAfLvvWU1m4UZ8ZHvAadkll48h AGtrQLxyoMXtXOw0+beJQdSnYYDHeBnEGSZD6IKXlq4I5wXE1Tc616QXRD3AcxuMDY po6cNWivb3e5zWXZui4xJ/dUFHbeFscpJTraPvPuktCzAiLP48XCRHNi+BNWTnWaof lO1BgeElXGdxw== X-Authentication-Warning: thalia.hesiod.org: Host host-185-160.fastfiber.searanchconnect.org [64.38.185.160] (may be forged) claimed to be [127.0.0.1] Date: Wed, 19 Feb 2025 13:18:03 -0800 From: Jeff Anton To: freebsd-java@freebsd.org Subject: Re: IPv6 in Java on FreeBSD User-Agent: K-9 Mail for Android In-Reply-To: References: <79B052D3-8A9F-4658-AD33-EDD26BBB1A34@gid.co.uk> Message-ID: List-Id: Porting Java to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-java List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-java@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----HAHQZVKL2VZFCEDH3XVY0Q1GTFBAIE Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-3.80 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[hesiod.org,none]; R_SPF_ALLOW(-0.20)[+mx:c]; ONCE_RECEIVED(0.20)[]; R_DKIM_ALLOW(-0.20)[hesiod.org:s=Feb25]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:20473, ipnet:2001:19f0:ac00::/38, country:US]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_ALL(0.00)[]; RECEIVED_HELO_LOCALHOST(0.00)[]; MLMMJ_DEST(0.00)[freebsd-java@freebsd.org]; FROM_HAS_DN(0.00)[]; HAS_XAW(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-java@freebsd.org]; DKIM_TRACE(0.00)[hesiod.org:+] X-Rspamd-Queue-Id: 4Yyq4M1Cj1z3LwP X-Spamd-Bar: --- ------HAHQZVKL2VZFCEDH3XVY0Q1GTFBAIE Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I have a lot a want to say about this=2E Unfortunately I only have my mobil= e phone for the next couple days so writing a lot is difficult=2E The security issue(s) should be clear and they don't seem to be clear now= =2E Reading the inet6 and ip6 pages and understanding the security issue is= difficult=2E I believe the security issue is that if you have an ipv4 mapped into ipv6 = arrangement, another process may be able to set up an ipv4 only socket to c= apture or intercept ipv4 traffic instead of the ipv4 mapped into ipv6 socke= t already established=2E Because the jvm uses this mapping it's vulnerable=2E Security heighten peo= ple (such as the openBSD) will not like this=2E However, until the jvm is substantially changed, there is not really a cho= ice here=2E IMO, it's a bad idea for the jvm to look at the global ipv6 only syscntl f= or it's configuration=2E I currently have a problem that sendmail does not work correctly with the = global ipv6only set to 0, but I can not run tomcat in a duel stack environm= ent without that global setting=2E I'm currently running a modified sendmai= l to solve this=2E I would very much like the jvm to be configurable to work dual stack witho= ut clearing the ipv6only syscntl=2E Most applications currently assume no ipv4 mapped into ipv6 just because t= hey don't even know it's possible=2E So the JVM is the "odd man" which can use this feature and has this possib= le security issue=2E So this is complicated=2E IMO, because the JVM is the outlier and there are security issues, the rig= ht thing is that a JVM should be individually configured if it's going to u= se ipv4 mapped into ipv6=2E Ie=2E The configured choices are Ipv4 only Ipv6 only Duel stack ipv6 with ipv4 mapped into ipv6 Jeff Anton ------HAHQZVKL2VZFCEDH3XVY0Q1GTFBAIE Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
I have a lot a want to say abo= ut this=2E Unfortunately I only have my mobile phone for the next couple da= ys so writing a lot is difficult=2E

The security issue(s) should be = clear and they don't seem to be clear now=2E Reading the inet6 and ip6 page= s and understanding the security issue is difficult=2E

I believe the= security issue is that if you have an ipv4 mapped into ipv6 arrangement, a= nother process may be able to set up an ipv4 only socket to capture or inte= rcept ipv4 traffic instead of the ipv4 mapped into ipv6 socket already esta= blished=2E

Because the jvm uses this mapping it's vulnerable=2E Secu= rity heighten people (such as the openBSD) will not like this=2E

How= ever, until the jvm is substantially changed, there is not really a choice = here=2E

IMO, it's a bad idea for the jvm to look at the global ipv6 = only syscntl for it's configuration=2E
I currently have a problem that s= endmail does not work correctly with the global ipv6only set to 0, but I ca= n not run tomcat in a duel stack environment without that global setting=2E= I'm currently running a modified sendmail to solve this=2E
I would very= much like the jvm to be configurable to work dual stack without clearing t= he ipv6only syscntl=2E

Most applications currently assume no ipv4 ma= pped into ipv6 just because they don't even know it's possible=2E

So= the JVM is the "odd man" which can use this feature and has this possible = security issue=2E

So this is complicated=2E

IMO, because the = JVM is the outlier and there are security issues, the right thing is that a= JVM should be individually configured if it's going to use ipv4 mapped int= o ipv6=2E
Ie=2E The configured choices are
Ipv4 only
Ipv6 only
= Duel stack ipv6 with ipv4 mapped into ipv6

Jeff Anton
------HAHQZVKL2VZFCEDH3XVY0Q1GTFBAIE--