Some stuff on dual-bound IPv6 sockets on Linux

February 13, 2010

One place where IPv4 mapped addresses show up a lot is the logs of Linux daemons that are running on machines with IPv6 enabled. These days, it's reasonably popular for daemons to listen (only) on an IPv6 socket for both IPv4 and IPv6 connections. The kernel makes this work, using IPv4 mapped addresses for the IPv4 connections, and then you get to find out which daemons choke anyways.

Not everyone likes the behavior where listening on a wildcard IPv6 socket will get you both IPv6 and IPv4 connections; see here for a rundown of some of the problems with this. Naturally, there are objections to any change in the status quo.

Personally, I agree with the people arguing against dual-bound sockets who want to set the net.ipv6.bindv6only sysctl to 1 by default. The idea of programs only having to deal with IPv6 is a nice one, but in practice that ship sailed at least a decade ago, and it's too late now. We have a huge collection of configurations and practices with IPv4 addresses; changing them to use the IPv6 form of those addresses is a pointless pain in the rear at best.

(At worst, things don't work as well as they did with real IPv4 addresses. Compare tcpwrappers' support for IPv6 addresses against its support for IPv4 addresses, for example, and consider the work involved in moving an IPv4 tcpwrappers configuration to use IPv4 mapped addresses.)

In practice it's much simpler to keep running IPv4 setups as is and to treat IPv6 as a completely separate world. But in order to make this work you need to be able to listen on a wildcard IPv4 socket and a separate wildcard IPv6 socket at the same time, and to do this you need to turn on bindv6only.

(This has the effect of disabling IPv4 mapped addresses entirely; attempts to use them are rejected by the kernel.)

Having now looked into this issue (my attention was drawn to it by James's comment on this entry), I've now set bindv6only on my machines. It's not proven particularly annoying, as I'm starting from a situation where I have basically nothing binding to IPv6 listening sockets anyways so the setting doesn't actually affect anything.

(Now I do have to start selectively enabling daemons on IPv6, but I probably want to do that anyways in case I need to adjust their configurations. My experience so far is that this is going to be an adventure.)

Written on 13 February 2010.
« The many IPv6 addresses of an IPv4 machine
Brief notes on IPv6 support in some Linux programs »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Feb 13 00:56:57 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.