inet6
is a collection of protocols layered atop the
Internet Protocol version 6
(IPv6)
transport layer, and using the IPv6 address format.
The
inet6
family provides protocol support for the
SOCK_STREAM
, SOCK_DGRAM
,
and
SOCK_RAW
socket types; the
SOCK_RAW
interface provides access to the
IPv6
protocol.
netinet/in.h
>
defines this address
as a discriminated union.
Sockets bound to the inet6 family use the following addressing structure:
struct sockaddr_in6 {
uint8_t sin6_len;
sa_family_t sin6_family;
in_port_t sin6_port;
uint32_t sin6_flowinfo;
struct in6_addr sin6_addr;
uint32_t sin6_scope_id;
};
Sockets may be created with the local address
``::
''
0:0:0:0:0:0:0:0
(which is equal to IPv6 address)
to effect
``wildcard''
matching on incoming messages.
The IPv6 specification defines scoped addresses, like link-local or site-local addresses. A scoped address is ambiguous to the kernel, if it is specified without a scope identifier. To manipulate scoped addresses properly from the userland, programs must use the advanced API defined in RFC 2292. A compact description of the advanced API is available in ip6(4). If a scoped address is specified without an explicit scope, the kernel may raise an error. Note that scoped addresses are not for daily use at this moment, both from a specification and an implementation point of view.
The KAME implementation supports an extended numeric IPv6 address notation
for link-local addresses,
like
``fe80::1%de0
''
to specify
on
de0
interface
``fe80::1
.''
This notation is supported by
getaddrinfo(3)
and
getnameinfo(3).
Some of normal userland programs, such as
telnet(1)
or
ftp(1),
are able to use this notation.
With special programs
like
ping6(8),
you can specify the outgoing interface by an extra command line option
to disambiguate scoped addresses.
Scoped addresses are handled specially in the kernel.
In kernel structures like routing tables or interface structures,
a scoped address will have its interface index embedded into the address.
Therefore,
the address in some kernel structures is not the same as that on the wire.
The embedded index will become visible through a
PF_ROUTE
socket, kernel memory accesses via
kvm(3)
and on some other occasions.
HOWEVER, users should never use the embedded form.
For details please consult
http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION
.
Note that the above URL describes the situation with the latest KAME tree,
not the
NetBSD
tree.
SOCK_STREAM
abstraction while
UDP
is used to support the
SOCK_DGRAM
abstraction.
Note that
TCP
and
UDP
are common to
inet(4)
and
inet6.
A raw interface to
IPv6
is available
by creating an Internet socket of type
SOCK_RAW
.
The
ICMPv6
message protocol is accessible from a raw socket.
AF_INET6
sockets.
The default behavior intentionally violates RFC 2553 for security reasons.
Listen to two sockets if you want to accept both IPv4 and IPv6 traffic.
IPv4 traffic may be routed with certain
per-socket/per-node configuration, however, it is not recommended to do so.
Consult
ip6(4)
for details.
The behavior of
AF_INET6
TCP/UDP socket is documented in RFC 2553.
Basically, it says this:
AF_INET6
socket
with an address specified
(bind(2))
should accept IPv6 traffic to that address only.
AF_INET6
socket
to IPv6 address
::
(bind(2),)
and there is no wildcard bind
AF_INET
socket on that TCP/UDP port, IPv6 traffic as well as IPv4 traffic
should be routed to that
AF_INET6
socket.
IPv4 traffic should be seen as if it came from an IPv6 address like
::ffff:10.1.1.1
.
This is called an IPv4 mapped address.
AF_INET
socket and a wildcard bind
AF_INET6
socket on one TCP/UDP port, they should behave separately.
IPv4 traffic should be routed to the
AF_INET
socket and IPv6 should be routed to the
AF_INET6
socket.
However, RFC 2553 does not define the ordering constraint between calls to
bind(2),
nor how IPv4 TCP/UDP port numbers and IPv6 TCP/UDP port numbers
relate to each other
(should they be integrated or separated.)
Implemented behavior is very different from kernel to kernel.
Therefore, it is unwise to rely too much upon the behavior of
AF_INET6
wildcard bind sockets.
It is recommended to listen to two sockets, one for
AF_INET
and another for
AF_INET6
,
when you would like to accept both IPv4 and IPv6 traffic.
It should also be noted that
malicious parties can take advantage of the complexity presented above,
and are able to bypass access control,
if the target node routes IPv4 traffic to
AF_INET6
socket.
Users are advised to take care handling connections
from IPv4 mapped address to
AF_INET6
sockets.
Users are suggested to implement ``version independent'' code as much as possible, as you will need to support both inet(4) and inet6.