Re: tcpip-forward requests and bind addresses

[nisse%lysator.liu.se@localhost (Niels Möller)]

Jeffrey Hutzelman <jhutz%cmu.edu@localhost> writes:

> We should be careful to specify exactly what we mean by "localhost",
> "127.0.0.1", and "::1".  Do we mean that the ssh server should bind to
> the loopback address, or that it should listen on all loopback
> interfaces, regardless of address?

As for IPv6, my reading of RFC3513 is that ::1 is the only localhost
address. One may be able to set up routing for other addresses so that
they behave the same way ::1, but I don't think that's anything an ssh
implementation should be required to know about. For IPv6, "localhost
interface" = "localhost address" = "::1" seems to be consistent with
the referenced RFC, so I don't think there's any ambiguity.

For IPv4, the entire block 127.0.0.0/8 is reserved for localhost
addresses. My feeling is that it should be sufficient, in practically
all cases, to listen on 127.0.0.1. In the uncommon case that there are
several configured loopback adresses, 127.0.0.1 *ought* to be one of
them.

If 127.0.0.x, x != 1, is a configured address, it may or may not make
sense to have the ssh server to listen on that address too, in
addition to 127.0.0.1. I can't make a strong and universal
recommendation either way, so I think this choice should be left to
the implementation. I would expect most implementation to treat
"localhost" and "127.0.0.1" as synonyms (within IPv4).

If we absolutely need to clarify it, we could say something like

  For IPv4, a large block, 127.0.0.0/8, is reserved for localhost
  addresses. Implementations MAY/SHOULD treat 127.0.0.1 as the only
  IPv4 localhost address. Listening on other addresses in this block,
  when "localhost" is requested, is OPTIONAL.

Regards,
/Niels