IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: tcpip-forward requests and bind addresses
Darren Tucker <dtucker%zip.com.au@localhost> writes:
> The things that aren't clear:
> - how to listen on all IPv4 and IPv6 interfaces.
> - how to listen on localhost only on IPv4 and IPv6
>
> Working with Damien Miller, we've come up with the following
> suggestions. After some digging, it turns out we're (belatedly)
> seconding suggestions made by Niels Möller[1] in 2001!
It seems I haven't changed my mind since back then ;-). I like your
proposed text, with only one minor concern (see below).
> (1) the string "" should specify that connections are allowed from anywhere
> (2) "address to bind" should permit either a domain name or address
> (3) the string "localhost" should have a special meaning to the server
> of "all loopback IPv4 and IPv6 interfaces".
> [proposed text]
> The 'address to bind' and 'port number to bind' specify the IP address
> or domain name and port to which the socket to be listened is bound.
> The address should be "" if connections are to accepted from anywhere
> on all supported protocol families.
>
> The server SHOULD treat an address of "localhost" to be a special case
> meaning to listen on all supported protocol families on its loopback
> interfaces only.
>
> The strings "0.0.0.0" and "::" should be used to listen on all
> interfaces on only IPv4 or IPv6 respectively. Similarly, strings of
> "127.0.0.1" or "::1" should be used to listen on the loopback
> interface.
>
> Note that the client can still filter connections based on information
> passed in the open request.
> [/proposed text]
I have some concern with the phrase "all supported protocol families".
I don't think it is wise to interpret that as "all protocol families
that getaddrinfo return". It should be IPv4, IPv6 and, beyond that,
only protocol families that *really* make sense to implementor and/or
local sysadm.
One simple argument against random protocol families is that we don't
specify what the "originator IP address" and "originator port" in
SSH_MSG_CHANNEL_OPEN "forwarded-tcpip".
Regards,
/Niels
Home |
Main Index |
Thread Index |
Old Index