Hi Greg, Sure it could be for ALLBSD_SOURCE instead of just OpenBSD. I needed to do it because OpenBSD fails the call due to it being permanently disable on OpenBSD. Without disabling IPV6_V6ONLY, IPv6 failed to work on OpenBSD's port (the call to disable it failed, and ipv6 wasn't enabled).
The security concerns date back some number of years to itojun's RFC: https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02 It was never accepted as approved RFC I assume partly due to itojun passing away shorty after writing the RFC. Nevertheless, the BSD's took it seriously and disabled ipv4 to ipv6 address mapping. I believe windows also has it disabled (not 100% on that). Note however, that trying to run the JDK without ipv4 to ipv6 address mapping is painful. By default the JDK relies on this behavior. Attempting to run with IPV6_V6ONLY enabled put's the jdk in to a mode where only ipv6 addresses work, or you can use a set of options to have only ipv4 addresses work (and not ipv6). For example if IPV6_V6ONLY is true, then the jdk will not be able to communicate over both ipv6 and ipv4 addresses at the same time; the default is ipv6 only. If a user wishes to use ipv4 and keep IPV6_V6ONLY enabled, they can start java with -Djava.net.preferIPv4Stack=true which will enable ipv4 and disable ipv6. The correct way to deal with this would be to have dual stack support in the JDK similar to how windows does it. If you review the windows networking code you will see that it has support for both ipv6 and ipv4 by having separate sockets for each protocol. Several years ago I looked into porting this solution over to BSD, but decided it was going to be too much work to keep it maintained. Ideally, the mainstream JDK developers would move linux/solaris over to dual stack networking and not rely on ipv4 to ipv6 address mapping. Hopefully, my summary above is clear. Let me know if you have any questions. Regards, -Kurt On Sat, 2017-04-01 at 16:03 -0700, Greg Lewis wrote: > Hi Kurt, > > Should this be disabled for all BSDs? What are the security concerns? > > On Fri, Mar 10, 2017 at 01:47:58PM +0000, k...@intricatesoftware.com wrote: > > > > Changeset: ce0d190806f2 > > Author: Kurt Miller <k...@intricatesoftware.com> > > Date: 2017-02-23 08:54 -0500 > > URL: http://hg.openjdk.java.net/bsd-port/jdk8/jdk/rev/ce0d190806f2 > > > > Disable forcing ipv4 to ipv6 address mapping on using the > > IPV6_V6ONLY socket option on OpenBSD. OpenBSD has ipv4 to ipv6 > > address mapping permanently disabled for security reasons. > > > > ! src/solaris/native/java/net/PlainSocketImpl.c > >
