[distcc] distcc only listens on v6 with --enable-rfc2553?

Martin Pool mbp at sourcefrog.net
Wed May 12 23:08:13 GMT 2004 

On 12 May 2004, Jeff Rizzo <riz+distcc at boogers.sf.ca.us> wrote:

> OK, this morning, I now know a lot more about the situation.  :)
> 
> It seems that the consensus in the BSD community is that ipv4-mapped
> addresses present something of a security risk:
> 
> http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00319.html

OK, thanks for finding that.  He is correct that it is hard to get the
access control rules correct, and there was a bug in distcc about this
in the past.  But I don't think the rest of the thread can be called
"consensus".

It makes sense to me that mapped addresses should not be allowed on
the wire.

I lean towards mapping in the kernel as the best way to support
servers handling both protocols.  I don't think that complicating
every application is the best way to avoid security problems.  

> There is a sysctl on the three major BSDs:
> 
> net.inet6.ip6.v6only = 1
> 
> ... when this is "1", it disables ipv4-mapped addresses.  "1" is the default
> on OpenBSD, NetBSD, and FreeBSD 5.  (FreeBSD4 had it "0").

By my reading, BSD does not comply with the API specification unless
you turn that off.  The divergence is well-intentioned but still in
some senses a bug.

Doesn't this break many other applications?

I don't think it is the expectation of BSD authors that every
application should work with the paranoid sysctls turned on.  I do see
other people saying "if you want this to work on BSD, you must turn
off $foo."

> So, for the moment, I can set v6only to 0, but I'd like to explicitly
> support both in distccd... is this something you'd consider for inclusion
> if I wrote the support?  If so, what do you think the best way to
> enable it would be?  Via autoconf, with some --enable flag?  Checking
> the sysctl value and acting accordingly?

I propose to fix by a FAQ entry telling people to set the sysctl.

If you really want to draft a patch I suppose you can.  My budget for
additional IPv6 complications is pretty low....

> I realize that dual-stack support isn't really high on most folks' priority
> lists (hell, it probably shouldn't be as high as it is on *my* list),
> but I'm willing to do the work if it will eventually get included...

--
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/distcc/attachments/20040513/305d1861/attachment.bin

More information about the distcc mailing list