[Nut-upsdev] Re: [nut-commits] svn commit r714 - in trunk: .
server
Henning Brauer
hb-nut at bsws.de
Wed Jan 10 00:41:58 CET 2007
* Arjen de Korte <nut+devel at de-korte.org> [2007-01-09 22:20]:
> Henning Brauer wrote:
>
> >>> but keep in mind that there are systems that (purposefully) do not
> >>> support v4 mapped addresses.
> >> That shouldn't be too much of a problem, would it?
> > This is only a problem if you open exactly one listening socket with
> > AF_INET6 and expect to handle both v4 and v6 connections there, seeing
> > v4 traffic mapped.
>
> Now I finally realized (took a while) why this is a problem. We
> currently support listening on only one TCP socket, the upsd driver is
> not geared up for more than that. If you want/need to separate all IPv4
> traffic on an AF_INET socket and all IPv6 traffic on an AF_INET6, you
> need at least two. Which means that in mixed configurations, in the
> present state of the server, you'd need mapped IPv4 (for which I take
> your word, is not always possible/desireable).
it is not supported at all on the more security-conncious operating
systems, and disabled by default on a few more.
> > you might want to either drop v4-mapped traffic on AF_INET6 sockets
> > entirely (and use AF_INET sockets exlucisvely for v4 traffic, that is
> > what I'd recommend), or at least check v4 access controls on AF_INET6
> > traffic for v4-mapped addresses.
> The latter is what we seem to do know and in the short run, this is
> probably all we can offer for people in mixed environments.
I really don't see the point. Just use AF_INET sockets for v4, and
AF_INET6 for v6 and you're done.
> >> Looking at the code, the latter would probably mean that no connections
> >> are allowed at all, so no harm is done.
> > as said, I'd play safe and silently drop all v4mapped stuff on the
> > AF_INET6 socket.
> As long as this code is still in the trunk (not released), I think we
> can/should keep it in. In the mean time, I will take up the task of
> making upsd aware of multiple TCP sockets (by adding LISTEN addresses in
> upsd). I agree that in the end, it is a much nicer solution to handle
> IPv4 and IPv6 separately. This has the added benefit, that if you have
> multiple interfaces on a machine running upsd, you're free to choose on
> which interfaces it is listening. Offers additional protection on top of
> the existing ACCESS/REJECT mechanism we already have.
yes, multiple listeners are really needed.
--
Henning Brauer, hb at bsws.de, henning at openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
More information about the Nut-upsdev
mailing list