[asterisk-dev] [Code Review] Make ACLs IPv6-capable
Simon Perreault
simon.perreault at viagenie.ca
Thu Jul 15 08:35:44 CDT 2010
On 2010-07-14 17:42, Mark Michelson wrote:
> The approach taken here was to use only IPv6 addresses in ACLs. If an
> IPv6 ACL is specified in a config file, then it is translated into an
> IPv4-mapped IPv6 address. The main reason for doing this was to have
> a uniform approach for applying a netmask to a given address.
> * I made a decision that a /0 or 0.0.0.0 netmask when applied to an
> IPv4 address would not be converted to an IPv4-mapped IPv6 address.
> Rather, it is simply made into an all 0s (i.e. unspecified) IPv6
> address. The reason for this is that /0 netmasks are used for "permit
> all" or "deny all" rules. By converting to an IPv4-mapped IPv6
> address, most IPv6 traffic will not match the access rule, which I
> think would be unexpected to most people.
Overall, I think the design is wrong. IPv4 addresses should be treated
like IPv4 addresses, and IPv6 addresses should be treated like IPv6
addresses. The two should be done independently. And when you are fed an
IPv4-mapped IPv6 address, you convert it to IPv4 (we already have a
function for that in netsock2 I think) and treat it as an IPv4 address.
In ideal code, IPv4-mapped IPv6 addresses should not exist. They are
evil. We used them as a hack to be able to listen on both IPv4 and IPv6
at the same time on a single socket. Ideally, the architecture of
chan_sip would be changed to allow multiple sockets, and IPv4-mapped
addresses would never be encountered. This would simplify netsock2 code
*a lot*.
Simon
--
NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca
vCard 4.0 --> http://www.vcarddav.org
More information about the asterisk-dev
mailing list