-
Notifications
You must be signed in to change notification settings - Fork 361
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FreeBSD and dual mode sockets #3630
Comments
Thank you for creating this Issue. It is bigger than a breadbox. I recommend you delete the two "battlebrow" URLs so that SN developers reading |
Status note: I read the referenced 20+ year old draft rfc and a series of proposed standard rfc which came after it. The important/relevant point is that the draft RFC seems to have motivated some BSD developers to I suspect that action is at the OS level and not at the JDK level. The latest JDK "Networking Properties" API documentation I could find with a 20-second Google search
Java 8 API says almost, if not exactly, the same thing. I will have to check what the C library on FreeBSD & macOS allow for IPv4-mapped-IPv6 addresses. |
Of course the action has been taken at the OS level. OpenJDK 11+ don't have different behaviors on other platforms, as I said this is specific to all BSD ports (and not well documented). |
Here you can find some additional context: https://lists.freebsd.org/pipermail/freebsd-net/2013-June/035858.html BTW, I think the SN re-implementation of the java network API relies on IPv4-mapped IPv6 addresses, too, creating just one socket. It would be nice if it was the first java implementation to create two different unix sockets to handle the two protocols ;-) |
Notes:
|
Did you add the following setting to
And this is the
|
Thank you for the URLs. I am trying to keep an open & inquiring mind. I am not certain that there is a problem here. Perhaps the URL put it succinctly "debatable safety." The reason that we created this issue is so that it and the need to test also test on FreeBSD & macOS with Java >=11 re:
As the author of the code in question, I am probably disqualified to judge and must seek concrete evidence. I have to swap over to another task now. When I have another time slice here, I will have to read the Java API for If there are know-but-to-a-few OS differences and we can characterize them, it would be friendly for SN to I think the author of the posted URL described the tension between "standards compliance" and "idiosyncratic security fixes", especially when the veracity of the purported "security" issue is hard to affirm or bring to consensus. |
Yes, the severity of the security issue is subjective, I fully agree, but the result is that some OSes decided for more restrictive defaults, and others completely removed such feature (given that the same result can be achieved with what was already provided by the unix socket API). |
I think that is somewhere between a big gain and essential. Thank you for taking the initiative to When I return to this Issue, I will attempt to play the "What changed on what OS and which versions" game. More as I discover it. |
Another useful link: https://lwn.net/Articles/688462/ From OpenBSD
From FreeBSD
|
Having documented references is beyond gold and a real time save. I propose that at the least I/we put a section in the "Setup" doc describing I think, from brief current experiments, that BSD-based macOS 14.2 follows the IETF specification. I believe that Scala Native follows the IETF RFC and any deviation is unintentional and a defect/bug. I propose that SN continue this way for the foreseeable future. What is the sense of the meeting |
FreeBSD has IPv4-mapped IPv6 addresses disabled by default. On some other BSD platforms (e.g. OpenBSD) they cannot even be enabled. This is a design choice for security reasons: https://datatracker.ietf.org/doc/html/draft-cmetz-v6ops-v4mapped-api-harmful-01
OpenJDK 11 and later for BSD systems have a couple of different default settings, compared to the jdk implementations of other OSes:
java.net.preferIPv4Stack
is set by default totrue
AF_INET6
sockets theIPV6_V6ONLY
flag is not clearedThis basically means that, without changing global system settings, Java can work correctly with one protocal at a time (IPv4 or IPv6), and IPv4 has been selected as the default choice.
Only by setting the
sysctl net.inet6.ip6.v6only=0
(that enables IPv4-mapped IPv6 addresses) and the system propertyjava.net.preferIPv4Stack=false
(that restores the use of dual mode AF_INET6 sockets) the FreeBSD behavior becomes similar to other OSes (with the additional security issues).The proper solution would be to make the JDK use dual sockets to support both IPv6 and IPv4 like it does for windows, but it's a huge task.
The text was updated successfully, but these errors were encountered: