Request for a Lockdown option
Gert Doering
gert at greenie.muc.de
Tue Jul 16 00:17:09 AEST 2024
Hi,
On Sun, Jul 14, 2024 at 10:25:46AM +0100, Brian Candler wrote:
> On 14/07/2024 03:49, Steffen Nurpmeso wrote:
> > I have read
> >
> > https://datatracker.ietf.org/doc/html/draft-cmetz-v6ops-v4mapped-api-harmful-01
> >
> > but as an application developer i find it ugly not to be able to
> > "simply do it", and get back a mapped address.
>
> You are looking at a Internet draft which expired more than 20 years ago.
But, speaking as another application developer, it's still harmful - the
amount of bugs I've found in OS stacks that were the result of cross-stack
packets (v4 packets mapped in a v6 socket) was quite amazing. Like,
ancillary data not being returned ("oops, we forgot to implement that
code path in the kernel"), outgoing source IP not being settable for UDP
packets ("oops, another code path that was never written")...
Add to that logging of addresses ("packet from xxx") which all of a sudden
looks different between "v4 on a v4 socket" and "v4 on a v6 socket".
So the first impression is quite nice, but in retrospective, it was one
of the truly bad ideas in IPv6 socket API design - and I do applaud the
OpenBSD people for being stubborn here.
(Yes, OpenVPN also went the lazy way of "not implement multiple socket
support", and then having to debug all the ways this didn't work right,
or the logging was confusing or wrong, etc.)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
More information about the openssh-unix-dev
mailing list