Re: [Sks-devel] Re: keys.hiif.hu drops connections at port 11370

[Phil Pennock]

On 2011-04-07 at 20:45 +0200, Kiss Gabor (Bitman) wrote:
> Just like hkp_address. I mean recon_address of course.
> "hkp_address: ::" seemed to work in the past few months.

If your machine accepts IPv4 connections on an IPv6 socket, then this
would work.  The address is just represented internally as ::ffff:<ipv4>
-- this is a standard part of the sockets API.

The BSDs and others have defaulted this behaviour off; Linux defaults it
on; there's a socket option to change it, but when the IPv6 support was
being added to SKS, the O'Caml bindings did not expose this option.

The problem comes when you apply ACL tests which don't account for an
IPv4 address now having two different ways it can be represented.

One solution might be to have the membership test strip off a leading
::ffff: on an address before making a comparison, so that Linux users
can continue to just use in6addr_any (::) to listen on.  (It's these
sorts of glitches with ACLs which led OpenBSD, and then the other BSDs,
to default IPV6_V6ONLY on.)

-Phil