Re: [Sks-devel] [CONTRIB] sks.pod text for enabling IPv6

[Kim Minh Kaplan]

Phil Pennock writes:

> On 2009-03-29 at 07:55 +0000, Kim Minh Kaplan wrote:
>>
>> Regarding recon_address some additional care is needed because other
>> SKS peers use the IP address for authentication purposes.  As current
>> SKS code does *not* support IPv4 mapped address you should *not* use
>> "::" on systems where they are the default (Linux for example).
>
> Does it make sense to test if the address is in ::ffff:0.0.0.0/96 and if
> so to just strip off the leading ::ffff: so as to avoid this issue?

This is what I did in my original patch before rolling back and using
your method.  This method is very fragile as you have to rely on
specific string representation of IPv6 addresses, or write a full
blown parser.  As these are mostly used while accepting IPv4 mapped on
an IPv6 socket I'd rather do it the other way round.  That is transform
all IPv4 addresses into IPv6 before comparision:

    let same_inet_addr addr1 addr2 = 
      let canonize addr =
        match Unix.domain_of_sockaddr addr with
          Unix.PF_UNIX -> failwith "Unexpected socket domain PF_UNIX"
        | Unix.PF_INET6 -> addr
        | Unix.PF_INET ->
        match addr with
          Unix.ADDR_UNIX _ -> failwith "Unexpected address type ADDR_UNIX"
          | Unix.ADDR_INET (ip, port) ->
              let newaddr = "::ffff:" ^ (Unix.string_of_inet_addr ip) in
                  let newip = Unix.inet_addr_of_string newaddr in
                      Unix.ADDR_INET(newip, port)
      in
      match ((canonize addr1), (canonize addr2)) with
          (Unix.ADDR_INET (ip1,_), Unix.ADDR_INET (ip2,_)) -> ip1 = ip2
        | _ -> false

Still, I am not sure this is a good thing.

> Something like this, just before EXAMPLES?
>
> ----------------------------8< cut here >8------------------------------
> =head1 ENABLING IPv6
>
> This is more complicated than it should be, thanks to some limitations
> in the language support libraries of O'Caml.  Instead of just being able
> to do The Right Thing, you need to both explicitly enable IPv6 and
> perhaps to understand a little about how your system deals with IPv4 and
> IPv6 connections to an IPv6 socket.

I think this ranting should not go into the documentation.

> The easiest solution is to explicitly list your IP addresses in
> C<sksconf>; whatever the hostname you peer under resolves to, those IP
> addresses should be listed for both C<hkp_address> and C<recon_address>.
> So if you have the hostname C<keyserver.example.org> which resolves to
> C<192.0.2.0> and C<2001:DB8::1> then you would configure:
>
> =over 4
>
> =item Explicit IP addresses in C<sksconf>:
>
>  hkp_address: 192.0.2.0 2001:DB8::1
>  recon_address: 192.0.2.0 2001:DB8::1
>
> =back

Sounds good to me.

> If you want to auto-discover IPv6 addresses in the same way as IPv4
> addresses, then this will only work cleanly in SKS on platforms where
> IPv6 sockets do not receive IPv4 connections using mapped addresses.  If
> this means nothing to you, then you'll just have to manually configure
> the addresses.  Sorry. 

I think "manually configure the addresses" can be confusing because
there is no such phrasing in the man page.  I would change the last
sentence to something like "If the preceding sentence makes no sense to
you, then you'll have to explicitly list your IP addresses as described
earlier".

Thank you for the doc.

Kim Minh.