Re: IPv6 in Java on FreeBSD
- Reply: Harald Eilertsen : "Re: IPv6 in Java on FreeBSD"
- In reply to: Harald Eilertsen : "Re: IPv6 in Java on FreeBSD"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 19 Feb 2025 21:18:03 UTC
I have a lot a want to say about this. Unfortunately I only have my mobile phone for the next couple days so writing a lot is difficult. The security issue(s) should be clear and they don't seem to be clear now. Reading the inet6 and ip6 pages and understanding the security issue is difficult. I believe the security issue is that if you have an ipv4 mapped into ipv6 arrangement, another process may be able to set up an ipv4 only socket to capture or intercept ipv4 traffic instead of the ipv4 mapped into ipv6 socket already established. Because the jvm uses this mapping it's vulnerable. Security heighten people (such as the openBSD) will not like this. However, until the jvm is substantially changed, there is not really a choice here. IMO, it's a bad idea for the jvm to look at the global ipv6 only syscntl for it's configuration. I currently have a problem that sendmail does not work correctly with the global ipv6only set to 0, but I can not run tomcat in a duel stack environment without that global setting. I'm currently running a modified sendmail to solve this. I would very much like the jvm to be configurable to work dual stack without clearing the ipv6only syscntl. Most applications currently assume no ipv4 mapped into ipv6 just because they don't even know it's possible. So the JVM is the "odd man" which can use this feature and has this possible security issue. So this is complicated. IMO, because the JVM is the outlier and there are security issues, the right thing is that a JVM should be individually configured if it's going to use ipv4 mapped into ipv6. Ie. The configured choices are Ipv4 only Ipv6 only Duel stack ipv6 with ipv4 mapped into ipv6 Jeff Anton