Making net.inet6.ip6.v6only=0 default

[Mark Felder]

After a brief talk on IRC I figured I'd get some feelers out there about  
this sysctl which seems to have a long history.

Background: I recently updated the net/rwhoisd port here on FreeBSD with a  
patch from the kind hrs@ who fixed it so it binds on both ipv4 AND ipv6  
when it is built with ipv6 (default since last summer in the ports tree).

I sent the patch upstream, and I received feedback from a list user that  
the real problem is FreeBSD's lack of compliance and we really should  
change net.inet6.ip6.v6only=0 to fix it.

Now, originally I was just going to add an install message with the port  
to change that sysctl, but I was told it is dangerous and I wasn't sure of  
the consequences. I'm quite familiar with ipv6 networking, but not  
specifically this setting and its consequences among software out there  
and I didn't want unknown behavior on my production servers. The patch  
hrs@ sent me seemed a better solution at the time.

Later after a bit more digging and discussion I've come to learn that the  
security aspect may simply be "unexpected behavior -- the binding to ipv6  
sockets and endusers not realizing it, thus creating a security hole for  
environments with only an ipv4 firewall".

We ship a dual stack firewall by default, and now since FreeBSD 9 we have  
the rc.conf setting ipv6_activate_all_interfaces="YES" which seems  
sufficient to mitigate this; the user would have to know they're enabling  
ipv6 and what its consequences could be.

So I guess the question is: what do we do? It looks like we're in  
violation of both RFC 3493, Section 5.3 and POSIX 2008, Volume 2, Section  
2.10.20*.


*I read the RFC, but haven't looked up the POSIX spec yet. Both were  
listed in a forum post from 2010.