Follow-up Comment #29, bug #15559 (project freeciv):

Clearly the server should run without emitting error messages regardless of
whether it finds itself on a "v6only" behaving system. Specifying
setsockopt(V6ONLY), or whatever it's called, with the current code might be
sufficient, if it's portable (haven't checked).

Another approach which satisfies this requirement is to do what I believe
OpenSSH does, which is to try to listen on all available IP address families
(specifying "V6ONLY" for lack of ambiguity), and fail if it can't bind _all_
of them. This is done to avoid an attack (CVE-2008-1483
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483>) where a local
attacker listened on IPv4 only, the SSH server listened on IPv6 and quietly
failed on IPv4, the user misdirected traffic at the IPv4 listener, and the
attacker captured traffic. (I haven't thought if there are any interesting
similar attacks against Freeciv.)

Unfortunately I haven't got round to working out how OpenSSH does this, and
in particular how it works out whether it's on a system that doesn't support
IPv6 at all, although I really should for another project.

    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?15559>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to