To:
Bill Manning <bmanning@ISI.EDU>
Cc:
dnsop@cafax.se
From:
itojun@iijlab.net
Date:
Wed, 19 Sep 2001 17:43:47 +0900
In-reply-to:
bmanning's message of Wed, 19 Sep 2001 01:16:55 MST. <200109190816.f8J8Gtm15029@zed.isi.edu>
Sender:
owner-dnsop@cafax.se
Subject:
Re: operationally (if not yet WG) related
>Hum... Whats happening? > >Nothing in section 5 of RFC 2292 says that mapped addresses >are disallowed in in6_pktinfo. The only requirement is that >they are unicast addresses. >So, does everyone do in6_pktinfo the same? Are the rest of the calls >there? Do stack developers follow RFC 2553, esp. section 3.7? no, everyone do in6_pktinfo differently, because the specification itself is vague, and there are people convinced that RFC2553 section 3.7 leads us to security vulnerability. there's no documentation available as to how far we need to support RFC2553 section 3.7. for example: - if we use IPv4 mapped address in IPv6 ioctls/setsockopt/ancillary data, does that mean we need to translate them into IPv4 ioctls? also, there are a lot of missing pieces in RFC2553 section 3.7. everyone can have different idea out of this ambiguous specification: - bind(2) ordering/conflict table. when we have an AF_INET6 socket, bound to speicfic IPv4 mapped address, should we forbid bind(2) to an IPv4 address with the same port, on AF_INET socket? regarding to security issue, see: http://www.kame.net/dev/cvsweb.cgi/kame/kame/kame/v6test/conf/transition-abuse.conf draft-itojun-ipv6-transition-abuse-xx.txt yes, the implementation differences are painful for application developers, however, implementers failed to reach the consensus after a long long holy war. the safest way for application implementers is to avoid using IPv4 mapped address at all and use AF_INET6/AF_INET sockets separately. >This from a stack developer: >"The ways of handling of the IPv4-mapped IPv6 address varies the >operating systems. >When writing a dual stack application, on some OSes you need single >socket opened for IPv6 and an IPv4 packet comes with an IPv4-mapped >IPv6 address. Linux would be one of this category. >On the other OSes, you need to open two sockets; one for IPv4 and the >other for IPv6. BSD/OS and NetBSD fall under this category. >Both behaviors are considered to be valid. >This inconsistency would introduce portability problem, however." this part is talking about behavior of an listening socket. BIND9 behavior against IPv4-mapped-address-in-AAAA has things to do with outgoing (sending) socket. i believe the above sentence is not really related to the issue. >"We recommend DNS administrators DO NOT use mapped IPv6 addresses with >opcode 28 <type AAAA> resource records in ANY zone file." I agree 120%. itojun