Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthorized host, but host is authorized

[John Clizbe]

Daniel Kahn Gillmor wrote:
> On 11/27/2013 04:30 PM, Phil Pennock wrote:
>> On 2013-11-27 at 12:57 -0500, Daniel Kahn Gillmor wrote:
>>> i'm running sks 1.1.4 on Debian GNU/Linux, wheezy, amd64 (x86_64)
>>> platform.
>>>
>>> I see the following situation in the logs of the recon process (this is
>>> just an example, it seems to happen to all my IPv4 peers):
>>>
>>> 2013-11-27 12:37:17 address for sks-peer.spodhuis.org:11370 changed from [] 
>>> to [<ADDR_INET [2a02:898:31:0:48:4558:73:6b73]:11370>, <ADDR_INET 
>>> [94.142.241.93]:11370>]
>>> 2013-11-27 12:37:17 Reconciliation attempt from unauthorized host 
>>> <ADDR_INET [::ffff:94.142.241.93]:54518>.  Ignoring
>> 
>> This to me smells of a binding issue, where your v6 sockets are
>> accepting IPv4 addresses but SKS isn't handling that pattern.
> 
> yep, i think that's probably the case.
> 
>> If you're free to do so on this box, you can change the global state
>> with the `net.ipv6.bindv6only` sysctl; set it to 1 from 0.
> 
> hm, this seems like it would have cascading effects over other listening
> services on this machine, including the reverse proxy, whose
> configuration i would need to change if i was to diverge from the system
> defaults.
> 
>> If my recollection is accurate, when we were discussing IPv6 in SKS and
>> I provided my patches and commented upon Kim's (the ones which went in),
>> the O'Caml runtime did not support accessing the `setsockopt(2)` call
>> needed to tune this on a per-socket basis.  You're looking for the
>> `IPV6_V6ONLY` socket option at `IPPROTO_IPV6` level.
>> 
>> google(SKS IPV6_V6ONLY) yields:
>>   https://lists.nongnu.org/archive/html/sks-devel/2009-03/msg00170.html
>> 
>> So, if I was right in 2009, then with O'Caml 3.11 you can fix this.
> 
> well, i'm certainly fine with depending on ocaml 3.11 for modern
> versions of sks.  But it seems like there are two approaches that could
> be taken to fix it, and only one of them ought to rely on IPV6_V6ONLY:
> 
From the file ANNOUNCEMENT in the 1.1.4 tree:
Prerequisites
====================
There are a few prerequisites to building this code.  You need:
* ocaml-3.10.2 or later.  Get it from <http://www.ocaml.org>
  ocaml-3.12.x is recommended, ocaml-4.x is not recommended at this time
* Berkeley DB version 4.6.* or later, whereby 4.8 or later is recommended.
  You can find the appropriate versions at
  <http://www.oracle.com/technetwork/database/berkeleydb/downloads/index.html>

It's been this way for quit a number of years. I'm perfectly fine with bumping
the minimums to Ocaml 3.12.1 and BDB 4.8. I've been using Ocaml 4.00.1 and BDB
5.3/6.0 for some time now with no issues.


-- 
John P. Clizbe                      Inet: John (a) Gingerbear DAWT net
SKS/Enigmail/PGP-EKP                  or: John ( @ ) Enigmail DAWT net
FSF Assoc #995 / FSFE Fellow #1797  hkp://keyserver.gingerbear.net  or
     mailto:address@hidden

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

signature.asc
Description: OpenPGP digital signature