hg: bsd-port/jdk8/jdk: Disable forcing ipv4 to ipv6 address mapping on using the
Kurt Miller
kurt at intricatesoftware.com
Mon Apr 3 19:24:35 UTC 2017
Hi Greg,
Sure it could be for ALLBSD_SOURCE instead of just OpenBSD. I needed
to do it because OpenBSD fails the call due to it being permanently
disable on OpenBSD. Without disabling IPV6_V6ONLY, IPv6 failed to
work on OpenBSD's port (the call to disable it failed, and ipv6
wasn't enabled).
The security concerns date back some number of years to itojun's RFC:
https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02
It was never accepted as approved RFC I assume partly due to itojun
passing away shorty after writing the RFC. Nevertheless, the BSD's
took it seriously and disabled ipv4 to ipv6 address mapping. I
believe windows also has it disabled (not 100% on that).
Note however, that trying to run the JDK without ipv4 to ipv6 address
mapping is painful. By default the JDK relies on this behavior.
Attempting to run with IPV6_V6ONLY enabled put's the jdk in to a mode
where only ipv6 addresses work, or you can use a set of options to have
only ipv4 addresses work (and not ipv6). For example if IPV6_V6ONLY
is true, then the jdk will not be able to communicate over both ipv6
and ipv4 addresses at the same time; the default is ipv6 only. If a
user wishes to use ipv4 and keep IPV6_V6ONLY enabled, they can start
java with -Djava.net.preferIPv4Stack=true which will enable ipv4 and
disable ipv6.
The correct way to deal with this would be to have dual stack support
in the JDK similar to how windows does it. If you review the windows
networking code you will see that it has support for both ipv6 and
ipv4 by having separate sockets for each protocol. Several years ago
I looked into porting this solution over to BSD, but decided it was
going to be too much work to keep it maintained. Ideally, the mainstream
JDK developers would move linux/solaris over to dual stack networking
and not rely on ipv4 to ipv6 address mapping.
Hopefully, my summary above is clear. Let me know if you have any questions.
Regards,
-Kurt
On Sat, 2017-04-01 at 16:03 -0700, Greg Lewis wrote:
> Hi Kurt,
>
> Should this be disabled for all BSDs? What are the security concerns?
>
> On Fri, Mar 10, 2017 at 01:47:58PM +0000, kurt at intricatesoftware.com wrote:
> >
> > Changeset: ce0d190806f2
> > Author: Kurt Miller <kurt at intricatesoftware.com>
> > Date: 2017-02-23 08:54 -0500
> > URL: http://hg.openjdk.java.net/bsd-port/jdk8/jdk/rev/ce0d190806f2
> >
> > Disable forcing ipv4 to ipv6 address mapping on using the
> > IPV6_V6ONLY socket option on OpenBSD. OpenBSD has ipv4 to ipv6
> > address mapping permanently disabled for security reasons.
> >
> > ! src/solaris/native/java/net/PlainSocketImpl.c
> >
More information about the bsd-port-dev
mailing list