Project

General

Profile

[Solved] Default IPv6

Added by reubenhwk almost 7 years ago

Why is IPv6 disabled by default? It is trivial to detect IPv6 and use it as the default protocol. Falling back to IPv4 should ONLY happen if IPv6 isn't available. All IPv4 addresses are mapped to v6 sockets implicitly by the kernel. The setting server.use-ipv6 = "enable" should be changed to server.disable-ipv6 = "yes I really, really want to disable IPv6 even though I know it's stupid to disable IPv6 because an IPv6 socket can respond to IPv4 connections via IPv4 mapped IPv6 addresses like this one ::192.168.0.154"

I'm sorry, but if lighttpd is meant as a faster, simpler and is most other ways better web server, how could it be built around IPv4 in this way? Are you aiming to build a web server for 1992? I can submit patches to remedy this problem, but before I start I want to find out the rational for this apparent step backwards...


Replies (9)

RE: Default IPv6 - Added by stbuehler almost 7 years ago

Go flame somewhere else, i don't see why i should invest time to tell you our reasons.

RE: Default IPv6 - Added by reubenhwk almost 7 years ago

Sorry dude. I didn't mean to upset... I'm just baffled. I'll rephrase my question...

What is the design decision to explicitly enable IPv6? IPv6 sockets are backward compatible with IPv4. It seems like a better idea to simply use IPv6 if it is available and only fall back to IPv4 in case of no IPv6 or if IPv6 is explicitly disabled...

Thanks in advance.

RE: Default IPv6 - Added by stbuehler almost 7 years ago

  • We switched to "disabled dual-stack" by default now, see r2758 (it is the only "clean" solution; dual stack was a bad idea imho in the first place, especially for applications that support multiple listening sockets)
  • Relying on dual-stack is bad too, as not all systems support it
  • Enabling IPv6 without requiring a config change could make configurations unsecure that were perfectly sane and secure until now.
  • Using features automatically as soon as they are available is a bad practice generally imho; you don't get proper warnings/errors if they are not available, so you might not notice if something breaks.
  • It realls is pretty easy to enable ipv6 in lighttpd... see IPv6-Config

RE: Default IPv6 - Added by reubenhwk almost 7 years ago

  • We switched to "disabled dual-stack" by default now, see r2758 (it is the only "clean" solution; dual stack was a bad idea imho in the first place, especially for applications that support multiple listening sockets)

I'm not clear on why dual stack is a bad idea. It makes code simpler. Everything transparently come from a consistent protocol. If you don't mind, could you elaborate?

  • Relying on dual-stack is bad too, as not all systems support it

I wouldn't go as far as saying lighttpd should "rely" on dual stack. However, Windows, Linux, BSD and Solaris all support dual stack. It seems to me dual-stack is the norm. At most I think some #defines and a few build system macros can check for and disable dual stack code when it's not available. Besides, dual stack is soon going to be the norm for many years to come.

  • Enabling IPv6 without requiring a config change could make configurations unsecure that were perfectly sane and secure until now.

Understood and agreed.

  • Using features automatically as soon as they are available is a bad practice generally imho; you don't get proper warnings/errors if they are not available, so you might not notice if something breaks.

Understood, but I disagree. Network admins and others running a server to serve webpages should at a minimum be aware of IPv6. It seems lighttpd is enabling people to pretend IPv6 doesn't exist. At this point in time, people should be paying close attention to IPv6, not ignoring it by default. Most Linux distros as well as Windows Vista and Windows 7 enable IPv6 by default. People don't have to go out of their way to enable it there, but I have to go out of my way to enable it here. If people really don't want their web server to do IPv6, they should disable IPv6 in their OS or setup a firewall, but software should always detect what it has to work with and should use the features as effectively as possible. For example, if I'm playing a video game, it would be completely unreasonable for me to have to tell the game what GPU features I have and explicitly tell the game to use them. That never happens. The software detects features and allows the user to disable them.

  • It realls is pretty easy to enable ipv6 in lighttpd... see IPv6-Config

So it is easy, lighttpd is exciting, but I'm disappointed is hasn't yet fully embraced IPv6.

Thanks for your replies. It's much appreciated.

RE: Default IPv6 - Added by stbuehler almost 7 years ago

reubenhwk wrote:

  • We switched to "disabled dual-stack" by default now, see r2758 (it is the only "clean" solution; dual stack was a bad idea imho in the first place, especially for applications that support multiple listening sockets)

I'm not clear on why dual stack is a bad idea. It makes code simpler. Everything transparently come from a consistent protocol. If you don't mind, could you elaborate?

Imho IPv4 and IPv6 are two different protocols, which provide similar features; this gets visible in places like "i have ::ffff:... addresses in my access log" (or think of regular expressions to match ip addresses).

  • Relying on dual-stack is bad too, as not all systems support it

I wouldn't go as far as saying lighttpd should "rely" on dual stack. However, Windows, Linux, BSD and Solaris all support dual stack. It seems to me dual-stack is the norm. At most I think some #defines and a few build system macros can check for and disable dual stack code when it's not available. Besides, dual stack is soon going to be the norm for many years to come.

On BSD dual stack is disabled by default (i don't know whether they "support" it); debian recently tried disabling it, but they reverted it (a very bad move imho too; they had it like 6 months and reverted the change shortly before freeze).
I think all servers should support listening to multiple sockets; and with that there is no need for dual stack.

  • Enabling IPv6 without requiring a config change could make configurations unsecure that were perfectly sane and secure until now.

Understood and agreed.

  • Using features automatically as soon as they are available is a bad practice generally imho; you don't get proper warnings/errors if they are not available, so you might not notice if something breaks.

Understood, but I disagree. Network admins and others running a server to serve webpages should at a minimum be aware of IPv6. It seems lighttpd is enabling people to pretend IPv6 doesn't exist. At this point in time, people should be paying close attention to IPv6, not ignoring it by default. Most Linux distros as well as Windows Vista and Windows 7 enable IPv6 by default. People don't have to go out of their way to enable it there, but I have to go out of my way to enable it here. If people really don't want their web server to do IPv6, they should disable IPv6 in their OS or setup a firewall, but software should always detect what it has to work with and should use the features as effectively as possible. For example, if I'm playing a video game, it would be completely unreasonable for me to have to tell the game what GPU features I have and explicitly tell the game to use them. That never happens. The software detects features and allows the user to disable them.

Ok, that statement was very generic ofc, so it is easy to find counter arguments. If you have an application where you can see when features are missing, you don't have that problem; and you will notice when your video game suddenly uses the software renderer...
What i wanted to say is that i don't like it if things happen "by magic" without asking me. (like virus scanner updates popping up while your playing a game, your desktop starts indexing all your files "in the background", or your server starts providing services you didn't want; that may be good for the average user, but not for sys admins)

  • It realls is pretty easy to enable ipv6 in lighttpd... see IPv6-Config

So it is easy, lighttpd is exciting, but I'm disappointed is hasn't yet fully embraced IPv6.

"hasn't yet fully embraced IPv6" ? wtf. you agreed that enabling it by default is not good, so what do you want?
That our current syntax in 1.x for listening to multiple sockets sucks is true, but that has nothing to do with IPv6.
Btw: lighttpd.net is reachable via IPv6.

Thanks for your replies. It's much appreciated.

RE: Default IPv6 - Added by Olaf-van-der-Spek almost 7 years ago

stbuehler wrote:

What i wanted to say is that i don't like it if things happen "by magic" without asking me.

Then add a switch to enable the new stuff.

RE: Default IPv6 - Added by stbuehler almost 7 years ago

There is one easy enough way imho; don't need a second one, especially not in a "stable" branch.

RE: Default IPv6 - Added by Olaf-van-der-Spek almost 7 years ago

As the issue keeps coming up I think it's not easy enough.

RE: [Solved] Default IPv6 - Added by gstrauss 7 months ago

stbuehler made many well-reasoned points above.

To enable IPv6, see IPv6-Config, specifically the section "Recommended IPv6 setup"

    (1-9/9)