3N/ACopyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
3N/ACopyright (C) 2000, 2001 Internet Software Consortium.
3N/ACurrently, there are multiple interesting problems with ipv6
3N/Aimplementations on various platforms. These problems range from not
3N/Abeing able to use ipv6 with bind9 (or in particular the ISC socket
3N/Alibrary, contained in libisc) to listen-on lists not being respected,
3N/Ato strange warnings but seemingly correct behavior of named.
3N/AThe socket library requires a certain level of support from the
3N/Aoperating system. In particular, it must follow the advanced ipv6
3N/Asocket API to be usable. The systems which do not follow this will
3N/Acurrently not get any warnings or errors, but ipv6 will simply not
3N/AThese systems currently include, but are not limited to:
3N/A AIX 3.4 (with ipv6 patches)
1182N/AIn the original drafts of the ipv6 RFC documents, binding an ipv6
3N/Asocket to the ipv6 wildcard address would also cause the socket to
2350N/Aaccept ipv4 connections and datagrams. When an ipv4 packet is
2350N/Areceived on these systems, it is mapped into an ipv6 address. For
2350N/Aexample, 1.2.3.4 would be mapped into ::ffff:1.2.3.4. The intent of
3N/Athis mapping was to make transition from an ipv4-only application into
4798N/Aipv6 easier, by only requiring one socket to be open on a given port.
2350N/ALater, it was discovered that this was generally a bad idea. For one,
1322N/Amany firewalls will block connection to 1.2.3.4, but will let through
2426N/A::ffff:1.2.3.4. This, of course, is bad. Also, access control lists
1689N/Awritten to accept only ipv4 addresses were suddenly ignored unless
583N/Athey were rewritten to handle the ipv6 mapped addresses as well.
583N/APartly because of these problems, the latest IPv6 API introduces an
775N/Aexplicit knob (the "IPV6_V6ONLY" socket option ) to turn off the ipv6
5177N/AIn bind9, we first check if both the advanced API and the IPV6_V6ONLY
4798N/Asocket option are available. If both of them are available, bind9
4798N/Anamed will bind to the ipv6 wildcard port for both TCP and UDP.
1689N/AOtherwise named will make a warning and try to bind to all available
6348N/AIn any case, bind9 named binds to specific addresses for ipv4 sockets.
4798N/AThe followings are historical notes when we always bound to the ipv6
4798N/Awildcard port regardless of the availability of the API support.
1689N/AThese problems should not happen with the closer checks above.
5414N/AIPV6 Sockets Accept IPV4, Specific IPV4 Addresses Bindings Fail
583N/A---------------------------------------------------------------
3N/AThe only OS which seems to do this is (some kernel versions of) linux.
3N/AIf an ipv6 socket is bound to the ipv6 wildcard socket, and a specific
6348N/Aipv4 socket is later bound (say, to 1.2.3.4 port 53) the ipv4 binding
6348N/AWhat this means to bind9 is that the application will log warnings
6348N/Aabout being unable to bind to a socket because the address is already
6348N/Ain use. Since the ipv6 socket will accept ipv4 packets and map them,
6348N/Ahowever, the ipv4 addresses continue to function.
6348N/AThe effect is that the config file listen-on directive will not be
6348N/AIPV6 Sockets Accept IPV4, Specific IPV4 Address Bindings Succeed
6348N/A----------------------------------------------------------------
1183N/AIn this case, the system allows opening an ipv6 wildcard address
3N/Asocket and then binding to a more specific ipv4 address later. An
2342N/Aexample of this type of system is Digital Unix with ipv6 patches
157N/AWhat this means to bind9 is that the application will respect
2426N/Alisten-on in regards to ipv4 sockets, but it will use mapped ipv6
2426N/Aaddresses for any that do not match the listen-on list. This, in
2426N/Aeffect, makes listen-on useless for these machines as well.
3853N/AIPV6 Sockets Do Not Accept IPV4
3853N/A-------------------------------
5177N/AOn these systems, opening an IPV6 socket does not implicitly open any
3988N/Aipv4 sockets. An example of these systems are NetBSD-current with the
3853N/Alatest KAME patch, and other systems which use the latest KAME patches
3853N/Aas their ipv6 implementation.
5177N/AOn these systems, listen-on is fully functional, as the ipv6 socket
3853N/Aonly accepts ipv6 packets, and the ipv4 sockets will handle the ipv4
583N/A3513: Internet Protocol Version 6 (IPv6) Addressing Architecture
583N/A3493: Basic Socket Interface Extensions for IPv6
583N/A3542: Advanced Sockets Application Program Interface (API) for IPv6
1204N/A$Id: ipv6,v 1.9 2004/08/10 04:27:51 jinmei Exp $