Menu
The OpenBSD manual states:
For security reasons, OpenBSD does not route IPv4 traffic to an AF_INET6 socket, and does not support IPv4 mapped addresses, where IPv4 traffic is seen as if it comes from an IPv6 address like ::ffff:10.1.1.1. Where both IPv4 and IPv6 traffic need to be accepted, listen on two sockets.
However, there is no explanation concerning these "security reasons." What are they? I can't think of any security problems related to that mapping.
724
First, the good news: IPv6 as a protocol suite isn't inherently more or less secure than its predecessor. Just as with IPv4, the vast majority of security incidents arise from design and implementation issues rather than weaknesses in the underlying technology.
As a result, these IPv6 enabled hosts can access the Internet with no firewall protection or network access controls. In turn, malicious tools can be used to detect IPv6-capable hosts, taking control of IPv6 auto-configuration & tunneling IPv6 traffic in and out of IPv4 networks undetected.
IPv6 uses a 128-bit address and can provide 340 undecillion IP addresses, while IPv4 is limited to 4.3 billion IP addresses. However, IPv6 implementation by ISPs and/or network admins can lead to various leaks and security issues. This way, your personal information can potentially compromised.
IPv4 IPsec is rarely used to secure end-to-end traffic. This is because of the widespread use of Network Address Translation in IPv4 (NAT44). NAT44 mangles the IPv4 headers and breaks IPsec.
I don't know specifically what motivation OpenBSD used, but I know of at least one problem that can be a security concern, namely ACLs and specifically black lists.
Ponder that you have an incoming connection from 10.1.1.1. This address is blacklisted in your ACL, and thus you refuse the connection. But if you're using a mapped address, it will instead appear to come from ::ffff:10.1.1.1. Your blacklist might not be able to catch this and might let the connection through.
This can be solved with application logic, and since using a single socket might simplify the code, I personally believe OpenBSD's decision is unfortunate. It's possible to default v4mapped to off but allow it to be enabled via setsockopt.
They might have had more concerns though that I'm not aware of.
148
As far as I know the main reason is to keep the IPv4 and IPv6 stacks separate. It's the hacks necessary to handle packets coming in on one stack but being handled by the other that cause the security risks.
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
