Re: IPv6 in Java on FreeBSD

Hi Jeff,

Thanks a lot for your feedback. It's very helpful, and I apreciate the
effort to type all of that into a phone!

Also, as mentioned, this is a bit academic from my side. I do want to
understand the worries and potential security implications for my own
part. In the end though, Java is what Java is, and for any upstreaming
effor I think I have to relate to that.

Wrt this issue, the OpenJDK project seems pretty clear:

- https://bugs.openjdk.org/browse/JDK-6882910
- https://github.com/openjdk/jdk/commit/22534d46e9fecc59de8cf18fd3e1bbfcba191e4a

On Wed, Feb 19, 2025 at 01:18:03PM -0800, Jeff Anton wrote:
> I believe the security issue is that if you have an ipv4 mapped into
> ipv6 arrangement, another process may be able to set up an ipv4 only
> socket to capture or intercept ipv4 traffic instead of the ipv4 mapped
> into ipv6 socket already established.

This seems to be a BSD problem, as it allows a bind to a port on a
specific addess (localhost or an interface address) even if the port is
bound by the wildcard address. I don't know the rationale for that.

If you bind a socket to a specific address (ipv6 or ipv4) it will only
accept connections over the corresponding protocol. So afaict this is
only a problem that affects the wildcard address, and only on BSD.

> Because the jvm uses this mapping it's vulnerable. Security heighten
> people (such as the openBSD) will not like this.

OpenBSD is not part of my scope. I will of course try to not break the
port for OpenBSD, but their concerns have to be addressed by them.

> IMO, it's a bad idea for the jvm to look at the global ipv6 only syscntl for it's configuration.

That's useful feedback. This also means we'll conform to the Java spec,
which mandates dual-stack sockets on IPv6 systems regardless of this
setting.

H!