[Nut-upsdev] Re: [nut-commits] svn commit r714 - in trunk: . server

Henning Brauer hb-nut at bsws.de
Wed Jan 10 00:41:58 CET 2007


* Arjen de Korte <nut+devel at de-korte.org> [2007-01-09 22:20]:
> Henning Brauer wrote:
> 
> >>> but keep in mind that there are systems that (purposefully) do not
> >>> support v4 mapped addresses.
> >> That shouldn't be too much of a problem, would it?
> > This is only a problem if you open exactly one listening socket with 
> > AF_INET6 and expect to handle both v4 and v6 connections there, seeing 
> > v4 traffic mapped.
> 
> Now I finally realized (took a while) why this is a problem. We
> currently support listening on only one TCP socket, the upsd driver is
> not geared up for more than that. If you want/need to separate all IPv4
> traffic on an AF_INET socket and all IPv6 traffic on an AF_INET6, you
> need at least two. Which means that in mixed configurations, in the
> present state of the server, you'd need mapped IPv4 (for which I take
> your word, is not always possible/desireable).

it is not supported at all on the more security-conncious operating 
systems, and disabled by default on a few more.

> > you might want to either drop v4-mapped traffic on AF_INET6 sockets 
> > entirely (and use AF_INET sockets exlucisvely for v4 traffic, that is 
> > what I'd recommend), or at least check v4 access controls on AF_INET6 
> > traffic for v4-mapped addresses.
> The latter is what we seem to do know and in the short run, this is
> probably all we can offer for people in mixed environments.

I really don't see the point. Just use AF_INET sockets for v4, and 
AF_INET6 for v6 and you're done.

> >> Looking at the code, the latter would probably mean that no connections
> >> are allowed at all, so no harm is done.
> > as said, I'd play safe and silently drop all v4mapped stuff on the 
> > AF_INET6 socket.
> As long as this code is still in the trunk (not released), I think we
> can/should keep it in. In the mean time, I will take up the task of
> making upsd aware of multiple TCP sockets (by adding LISTEN addresses in
> upsd). I agree that in the end, it is a much nicer solution to handle
> IPv4 and IPv6 separately. This has the added benefit, that if you have
> multiple interfaces on a machine running upsd, you're free to choose on
> which interfaces it is listening. Offers additional protection on top of
> the existing ACCESS/REJECT mechanism we already have.

yes, multiple listeners are really needed.

-- 
Henning Brauer, hb at bsws.de, henning at openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam



More information about the Nut-upsdev mailing list