Comments below
Mark Smith wrote:
No! See S2.5.5 of http://www.ietf.org/internet-drafts/draft-ietf-ipv6-addr-arch-v4-04.txtHi Elwyn,
On Tue, 07 Jun 2005 16:16:28 +0100 Elwyn Davies <elwynd@dial.pipex.com> wrote:
Thanks for the comments:
No worries. Hope they're useful.
<snip>
The latest addressing architecture deprecates these addresses and v6ops is not recommending any mechanisms that use this kind of address, so I think I would prefer not to talk about IPv4 compatibles, even if they were once an issue."Appendix A. IPv6 Probing/Mapping Considerations"
. . .
"For example, automatic tunneling mechanisms use rather deterministic methods for generating IPv6 addresses, so probing/port-scanning an IPv6 node is simplified. The IPv4 address is embedded at least in 6to4, Teredo and ISATAP address. Further than that, it's possible (in the case of 6to4 in particular) to learn the address behind the prefix; for example, Microsoft 6to4 implementation uses the address 2002:V4ADDR::V4ADDR while Linux and BSD implementations default to 2002:V4ADDR::1. This could also be used as one way to identify an implementation."
"IPv4-compatible IPv6 addresses" could be worth describing as an even better example of IPv6 tunnel end point address that is directly deterministic from an IPv4 address.
Oh, ok. I've seen it being discussed on the MLs, although I wasn't reading the threads. I though it was only discussing the "IPv4-mapped IPv6 Addresses" this draft discusses in section 2.2, specifically representing an IPv4 address as an IPv6 address within the OS. I'm not really a programmer, and I thought that the discussion was only covering the IPv6 APIs and related IPv4/IPv6 issues.
Just to make sure we're both talking about the same things, are
"IPv4-mapped IPv6 Addresses" the same as "IPv4-compatible IPv6
addresses" ?
Actually SIIT in its pure form is not something that anybody implements. The packet body translations are used in NAT-PT, but that is also headed off to experimental status, and anyway it does not use addresses with embedded IPv4 addresses in the same way. In general the opinion is that doing anything that shows either compatible or mapped addresses on the wire is a mistake: they are not routable and have the other problems you have mentioned. (this is already discussed in s2.2 of the security draft).The text in this draft says :
"the use of IPv4-mapped addresses has been extended to a transition mechanism, Stateless IP/ICMP Translation algorithm (SIIT) [RFC2765], where they are potentially used in the addresses of packets on the wire."
which I read to mean that before SIIT (RFC date February 2000),
"IPv4-mapped addresses" wouldn't be seen on the wire. Yet the first
"IPv4-compatible IPv6 addresses" RFC, RFC1933, is dated April 1996,
indicating that IPv4-compatible IPv6 addresses would be seen on the wire
prior to SIIT. That makes me wonder if we are talking about the same
thing ?
I'm happy to check the latest addressing architecture RFC or draft to find out myself if they are the same.
If they are the same, this draft might benefit from using both terms in
the above text at least once to show that they are the same thing.
As noted above they aren't!
Would anybody else with deep knowledge of the Linux IPv6 implementation care to comment. Mark's other posting indicates that it the default in Linux has been removed and the text should be altered to reflect the current situation. Could a BSD expert also confirm whether the comment is still true for BSD please?
Do you want to alter the text? It currently states that Linux and BSD *default* to xx::1, which means that a more fastidious human has the option to do something else. Does it really need any more text?I'm finding that on my Linux 6to4 tunnel interface, they are automatically configured, which surprised me a bit. I'm also getting an automatic ::/96 route pointing out my 6to4 tunnel which I don't think makes sense. Looking at RFC2893, it seems that automatic assignment and a ::/96 route should happen if the OS supports "IPv4-compatible IPv6 addresses".
Possibly (thinking about it a bit more, probably) this could be considered a Linux bug, as Linux isn't considering the difference between a "IPv4-compatible IPv6 address" tunnel and a 6to4 tunnel. Even if it is, I think automatic "IPv4-compatible IPv6 addresses" on appropriate tunnels on Linux and other OSes would be an IPv6 security concern, and therefore probably mentioned in this draft.
A minor nit. I'm not sure about the Linux default interface address of ::1 for 6to4 tunnels. Using either of the ifconfig and iproute2 utilities, I don't seem to be able specify a prefix without a node address for a 6to4 tunnel, therefore asking Linux to select an interface address. I'd suggest the "default" interface address of Linux 6to4 tunnels is ::1 probably only because of human nature when configuring the local 6to4 tunnel end point IPv6 address.
That's the thing. I can't get "Linux" itself to default to ::1, because I'm forced to specify a full IPv6 address, and being a lazy human _I'll_ pick ::1 by default for the interface ID. It seems that Linux itself doesn't have a default value at all, and it is not possible to make Linux pick one. If you've seen that "default" I think it is probably in the scripts to setup a 6to4 tunnel, and they are distribution dependent. I realise the difference is somewhat pedantic, however, I'd take a statement that "Linux defaults to ::1" to mean that all distributions based on the Linux kernel would default to ::1, and that may not be the case, or if it is today, may not be in the future.
Regards, Elwyn
Thanks, Mark.