[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthoriz

From: Kim Minh Kaplan
Subject: Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthorized host, but host is authorized
Date: Tue, 03 Dec 2013 16:41:57 +0000
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux)

Daniel Kahn Gillmor writes:

> But it seems like there are two approaches that could
> be taken to fix it, and only one of them ought to rely on IPV6_V6ONLY:
>  a) sks could set IPV6_V6ONLY on all listening sockets, and require the
> administrators to explicitly list IPv4 addresses differently from IPv6
> addresses, or

But this *is* the approach that SKS uses, except that it does not have
to set IPV6_V6ONLY. Like I wrote in a previous answer, SKS requires the
administrator to list all addresses, IPv4 and IPv6. As an alternative you
can use the hostname. But I do not recommend this as you then have to be
sure that all your DNS system is working fine at SKS startup time.

>  b) sks could simply realize that ::ffff:XX.YY.ZZ.WW is the same as
> XX.YY.ZZ.WW when doing comparison testing for IP-address-based
> authorization.  This seems like it would be a change in same_inet_addr
> in, and wouldn't require either system re-configuration,
> service re-configuration, or new versioned dependencies.

One of the first pass at IPv6 was done like that. But it lead to
unneeded complexity. The final SKS code is network protocol agnostic. It
does not include any IPv6 specificity. Is this b) functionnality really

Note that there is no real operational problem to fix in SKS with regard
to IPv6. It works fine for many (all?) people. The only annoyance I know
is that you cannot use the catchall :: address on systems that provide
IPv4-mapped addresses by default, like Linux.

If you still have problem with SKS and IPv6 please provide us with
your sksconf.
Kim Minh

reply via email to

[Prev in Thread] Current Thread [Next in Thread]