IPv6 only works, both do not

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

IPv6 only works, both do not

Arturo 'Buanzo' Busleiman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi!

If I use, for instance:

recon_address: 0.0.0.0 ::
hkp_address: 0.0.0.0 ::

(or 85.13.200.90 2a01:c0:2:1::2)

Then sks dies.

If I ONLY use IPv6:

recon_address: ::
hkp_address: ::

sks runs perfect, and lsof shows the ipv6 listening socket.

Interesting detail, if I use the ipv6 LOOKBACK address, 4 and 6 work (but useless, of course)

recon_address: 0.0.0.0 ::1
hkp_address: 0.0.0.0 ::1

Any ideas? This is linux 2.6.31

- --
Arturo "Buanzo" Busleiman
Independent Linux and Security Consultant - OWASP - SANS - OISSG
http://www.buanzo.com.ar/pro/eng.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEAREKAAYFAksVCioACgkQAlpOsGhXcE2mPgCfStrOg6rdyCgxAvPtoVsjFEeW
sjEAn1kBBVGlN04+6zhhP0/HYM95l45K
=xkj3
-----END PGP SIGNATURE-----


_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: IPv6 only works, both do not

Phil Pennock-17
On 2009-12-01 at 09:21 -0300, Arturo 'Buanzo' Busleiman wrote:

> Hi!
>
> If I use, for instance:
>
> recon_address: 0.0.0.0 ::
> hkp_address: 0.0.0.0 ::
>
> (or 85.13.200.90 2a01:c0:2:1::2)
>
> Then sks dies.
Anything in the logs?  db.log and recon.log in your basedir (which, if
not overriden, is the directory which SKS is started from).

Are you sure that SKS dies if you explicitly list one IPv4 and one IPv6
address and nothing else?  This is the configuration I'm using, but not
on Linux:
  recon_address: 94.142.241.93 2a02:898:31:0:48:4558:73:6b73
  hkp_address: 94.142.241.93 2a02:898:31:0:48:4558:73:6b73

> Any ideas? This is linux 2.6.31

My suspicion is that your platform enables v4-mapped IPv6 sockets by
default, so when you listen on :: you are implicitly also accepting IPv4
connections.

There's no sane portable way for O'Caml programs to disable this (or
wasn't when I last checked).  By contrast, if only one socket is used,
it will break on platforms where IPv6 sockets do not accept IPv4
connections by default.

Try just using "::" and then connecting to the server over IPv4.  If it
works, one socket handles both.  What addresses do you see for
connections then?  ::ffff:ip.v4.addr.ess ?  Do these match ACLs or do
things break?

I suspect that the logs have a socket bind error, address in use?

The general use case for explicit binding is to select *just* the IP
addresses you want to listen on and send from.  So if you have 3 IPv6
addresses, you listen on just the sks address and your outgoing recon
connections come from that same IP, so will get past the membership
tests of your peers.

-Phil

_______________________________________________
Sks-devel mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/sks-devel

attachment0 (169 bytes) Download Attachment