Wandering Thoughts archives

2010-02-14

Brief notes on IPv6 support in some Linux programs

Lately, I've been trying to actually use IPv6. This is a good way to find out various annoying things about how well programs support it, and so I'm going to write down some notes about what I've found out so far.

  • tcpwrappers fully supports IPv6 based access restrictions, but not as nicely as it does IPv4 ones, and subnet-based restrictions have a less convenient notation. This is documented in the hosts.allow manpage.

    (And wow, have modern versions of tcpwrappers picked up some useful features.)

  • ssh supports using IPv6 addresses in from="..." restrictions in authorized_keys files, but it doesn't document this and the degree of support varies between versions. In early versions you can only list full IPv6 addresses (written without '[...]' around them, unlike tcpwrappers); later versions also allow you to use the subnet prefix notation, but inconveniently require the subnet to be 'proper', having a host portion that is all zeros.

    (This is the difference between writing '2002:8064:0333::1/48', which is how a lot of the actual IPv6 stuff is configured, and having to write '2002:8064:0333::/48'. Real examples may be more complicated.)

    Fedora 8 has an earlier ssh; Fedora 11 has a later one.

  • xinetd binds to IPv6 sockets by default, which is a problem if you are turning off dual-binding, which is what I think you should do. To specifically bind to IPv4 sockets, set 'flags = ipv4' for a particular entry.

  • Apache defaults to listening on an IPv6 socket. You might think that this is a problem if you turn off dual-binding, but in fact Apache is smarter than you; even if you turn off dual-binding, Apache will turn it back on for its server socket.

    (In fact Apache is so smart that if you carefully tell it to listen separately on IPv4 and IPv6 for the same port, it will combine them into one IPv6 socket. This can be really confusing if you've turned off dual-binding and are trying to make everything work and are suddenly doubting whether your configuration file change took because lsof (or netstat) says that Apache only has a single IPv6 socket.)

Apache's dual-binding support is almost completely perfect; if more programs were like it, dual-binding would have a better reputation. Notice that despite it using an IPv6 socket, you never see IPv4 mapped addresses in your logs and you never have to think about them in your configuration files; you just use and see IPv4 addresses, and Apache fixes everything up behind the scenes.

(I dock Apache style points because it does treat IPv4 compatible addresses differently from plain IPv4 addresses. This is defensible, since after all they're using IPv6 to talk to you, but I'm not sure it's desirable.)

linux/SomeIpv6SupportNotes written at 02:14:34; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.