[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthoriz
From: |
Daniel Kahn Gillmor |
Subject: |
Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthorized host, but host is authorized |
Date: |
Tue, 03 Dec 2013 11:56:46 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0 |
On 12/03/2013 06:11 AM, Karl Schmitz wrote:
> maybe you should suggest adding the IPv4 compatibility DNS record (i.e.,
> *sks-peer AAAA ::ffff:94.142.241.93*) to the administrator of
> sks-peer.spodhuis.org.
>
> To see if that'll work out, try adding an equivalent record to your
> /etc/hosts temporarily.
I tested this by adding duplicate records to /etc/hosts on
zimmermann.mayfirst.org for a couple of IPv4-only keyservers that
zimmermann is peering with.
even after touching /etc/sks/membership, the sks recon process did not
pick up the new addresses, but it did pick them up when i restarted sks
recon.
This does appear to work for me.
I included both the normal IPv4 and the IPv6-translated addresses for
the hosts in question. for example:
204.13.164.120 keys.indymedia.org
::ffff:204.13.164.120 keys.indymedia.org
the downside to this approach seems to be that i can't actually connect
to those peers on the ::ffff:W.X.Y.Z address, since they do not have an
IPv6 stack set up.
It seems unlikely that people with a non-IPv6 setup would want to
publish that AAAA record, since it won't work for communicating with them.
It also seems like a bad idea for me to keep these addresses hard-coded
in /etc/hosts, since DNS assignments might change.
One approach to fix this would be to consider ::ffff:W.X.Y.Z the same as
W.X.Y.Z. Here's a clunky way to do that (i'd be happy to see a better
mechanism proposed by someone who really knows ocaml):
----------------
diff -r 0b577212aab4 membership.ml
--- a/membership.ml Tue Sep 17 16:40:47 2013 -0400
+++ b/membership.ml Tue Dec 03 11:53:02 2013 -0500
@@ -156,9 +156,16 @@
let (m,mtime) = !membership in
membership := (m,0.)
+let compare_v4_v6 a b =
+ let a_s = Unix.string_of_inet_addr a in
+ let b_s = Unix.string_of_inet_addr b in
+ let prefix = "::ffff:" in
+ a_s = prefix ^ b_s || b_s = prefix ^ a_s
+
let same_inet_addr addr1 addr2 =
match (addr1,addr2) with
- (Unix.ADDR_INET (ip1,_), Unix.ADDR_INET (ip2,_)) -> ip1 = ip2
+ (Unix.ADDR_INET (ip1,_), Unix.ADDR_INET (ip2,_)) ->
+ ip1 = ip2 || compare_v4_v6 ip1 ip2
| _ -> false
let rec choose () =
----------------
--dkg
signature.asc
Description: OpenPGP digital signature
- Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthorized host, but host is authorized, Daniel Kahn Gillmor, 2013/12/02
- Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthorized host, but host is authorized, Karl Schmitz, 2013/12/03
- Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthorized host, but host is authorized,
Daniel Kahn Gillmor <=
- Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthorized host, but host is authorized, Kim Minh Kaplan, 2013/12/03
- Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthorized host, but host is authorized, Phil Pennock, 2013/12/03
- Re: [Sks-devel] IPv4 vs. IPv6? -- Reconciliation attempt from unauthorized host, but host is authorized, John Clizbe, 2013/12/03