A few quick notes on making an application FULLY IPv6 compliant

Aug 28, 2012

Over the past decade, PowerDNS has become ever more IPv6 compliant, and I think that since a year or so, we fixed every last issue.

So why did it take so long? Just creating an AF_INET6 socket and binding it shouldn’t be that hard, right?

Here are some points to ponder:

  • IP addresses are used for more things than offering services! In other words, once your application can bind() to an IPv6 address, you are not done. 
    • So look not only at each call to bind() but to each call to connect() too!
    • Filtering – if you offer the ability to restrict service to certain classes of IP addresses, your filtering needs to be IPv6 aware
    • Proxying – if your service can forward requests to somewhere else, that too needs to know what socket family to use
    • Databases, web services often supply data you need to do your work. And those underlying services too can live on IPv6! 
  • IPv6 addresses are like IPv4 addresses.. but not quite
    • Scoped link local addresses. In some circles, it is recommended to bind services to locally scoped addresses, and such addresses look like fe80::92fb:a6ff:fe4a:51da%eth0. You must make sure you use the right API call to translate such a human address representation into a sockaddr_in6. I recommend getaddrinfo(), but pay close attention to its non-standard return codes!
  • Address lookup – if the operator specifies that queries need to be forwarded to ‘downstream.yourcompany.com’, did he mean the IP address of that host? Or the IPv6 address? Or both? Or the first one which works? If there are more IPv4 and IPv6 addresses, what to do?
    • Also, be prepared to lookup the address again. My Android phone tries to talk IPv6 over the IPv4-only cellular network immediately after leaving my home Wifi – which doesn’t work!
  • Ports – for IPv4, it is common to use to describe port 25 on host But how to map this to IPv6, which already uses : internally? Commonly used patterns are [::1]:25 or ::1#25. Pick one, both for input and output. ::1:25 is ambiguous.
  • Some systems have no IPv6 at a very fundamental level. This includes security conscious FreeBSD and OpenBSD users. Make sure that your application can deal with a failure to bind to ::, and also with a failure to even *make* an AF_INET6 socket.
  • Some systems might not have an IPv4 address, preventing you from binding to or even! This is a good test case to see if you really fixed everything.
  • When writing socket family agnostic code, be aware that some operating systems are more picky than others. For example, Linux will allow you to pass an AF_INET sockaddr with a socket length that is > sizeof(sockaddr_in), for example sizeof(sockaddr_in6). FreeBSD complains about this. So always supply the correct sockaddr length!
  • sockaddr_in6 contains a lot of fields, some of which are never used. This is unlike sockaddr_in which is completely specified by family, IP address and port. Be sure to zero your sockaddr_in6 before use, as it might start to fail silently later on if you don’t.
  • On Linux, if you bind an IPv6 socket to the IPv6 address ::, by default, it will also listen on IPv4! This is unexpected and a bit weird, but it is what happens. If an IPv4 connection comes in over the IPv6 socket, the IPv4 address will be mapped to an IPv6 address that starts with ::ffff. The major issue with this is that you suddenly can’t bind anything (else) to anymore on the same port number. Use the IPV6_V6ONLY setsockopt() option to fix this.
    • If you still use such :: binding to IPv4 and IPv6, make sure that any access filters you have will correctly match ::ffff: to!
Finally, for PowerDNS it took ages to remove the last ‘IPv4-only’ vestiges. We only were done once we had audited *each* and *every use* of AF_INET in our source tree. 
It is highly recommended to use an abstraction that allows you to  specify, pass and print addresses without having to worry about them being IPv4 or IPv6. The PowerDNS ComboAddress might serve as inspiration. Code can be found  here. From there you can also find code that helps match IPv4 and IPv6 addresses to NetMasks and NetMaskGroups, for easy filtering.
Finally, unless you truly audit each and every socket operation, you will miss certain corner cases, so do expect some fallout down the road.

About the author

Bert Hubert

Bert Hubert

Principal, PowerDNS

Related Articles

PowerDNS Authoritative Server 4.9.0

This is release 4.9.0 of the Authoritative Server. It brings a few new features, and a collection of small improvements and...

Peter van Dijk Mar 15, 2024

PowerDNS Recursor: Extended DNS Errors Help You Troubleshooting

This is the seventh episode of a series of blog posts we are publishing, mostly around recent developments with respect to...

Otto Moerbeek Mar 12, 2024

PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3 Released

Today we have released PowerDNS Recursor 4.8.7, 4.9.4 and 5.0.3. These releases are maintenance releases that fix a few...

Otto Moerbeek Mar 7, 2024

PowerDNS Authoritative Server 4.9.0-beta2

This is release 4.9.0-beta2 (beta1 was not released, due to a tagging mistake) of the Authoritative Server. It brings a few...

Peter van Dijk Feb 16, 2024