Re: tcpip-forward requests and bind addresses

To: Darren Tucker <dtucker%zip.com.au@localhost>
Subject: Re: tcpip-forward requests and bind addresses
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: 14 Feb 2005 16:05:50 +0100

Darren Tucker <dtucker%zip.com.au@localhost> writes:

> The things that aren't clear:
>   - how to listen on all IPv4 and IPv6 interfaces.
>   - how to listen on localhost only on IPv4 and IPv6
> 
> Working with Damien Miller, we've come up with the following
> suggestions.  After some digging, it turns out we're (belatedly)
> seconding suggestions made by Niels Möller[1] in 2001!

It seems I haven't changed my mind since back then ;-). I like your
proposed text, with only one minor concern (see below).

> (1) the string "" should specify that connections are allowed from anywhere

> (2) "address to bind" should permit either a domain name or address

> (3) the string "localhost" should have a special meaning to the server
> of "all loopback IPv4 and IPv6 interfaces".

> [proposed text]
> The 'address to bind' and 'port number to bind' specify the IP address
> or domain name and port to which the socket to be listened is bound.
> The address should be "" if connections are to accepted from anywhere
> on all supported protocol families.
> 
> The server SHOULD treat an address of "localhost" to be a special case
> meaning to listen on all supported protocol families on its loopback
> interfaces only.
> 
> The strings "0.0.0.0" and "::" should be used to listen on all
> interfaces on only IPv4 or IPv6 respectively.  Similarly, strings of
> "127.0.0.1" or "::1" should be used to listen on the loopback
> interface.
> 
> Note that the client can still filter connections based on information
> passed in the open request.
> [/proposed text]

I have some concern with the phrase "all supported protocol families".
I don't think it is wise to interpret that as "all protocol families
that getaddrinfo return". It should be IPv4, IPv6 and, beyond that,
only protocol families that *really* make sense to implementor and/or
local sysadm.

One simple argument against random protocol families is that we don't
specify what the "originator IP address" and "originator port" in
SSH_MSG_CHANNEL_OPEN "forwarded-tcpip".

Regards,
/Niels

Follow-Ups:
- Re: tcpip-forward requests and bind addresses
  - From: Darren Tucker
- Re: tcpip-forward requests and bind addresses
  - From: Bill Sommerfeld
- Re: tcpip-forward requests and bind addresses
  - From: der Mouse

References:
- tcpip-forward requests and bind addresses
  - From: Darren Tucker

Prev by Date: Re: DH KEX names an "aberration"?
Next by Date: Re: DH KEX names an "aberration"?
Previous by Thread: tcpip-forward requests and bind addresses
Next by Thread: Re: tcpip-forward requests and bind addresses
Indexes:

Home | Main Index | Thread Index | Old Index