Hacker News new | ask | show | jobs
by QuercusMax 69 days ago
Here's an example of a potential security hole caused by lack of ipv6 knowledge:

I've been setting up Snapcast (open-source multi-room audio), and needed to move the server to a different machine. While I was setting up the new system, I told it to only bind to localhost. Somehow this only affects the ipv4 networking stack, as some of my clients started automatically connecting to the new server even before I had finished all my testing.

Turns out that it was advertising some kind of ipv6 link-local address that showed up in autodiscovery. In my case there wasn't any harm, but this type of thing could very easily result in a major security vulnerability.
2 comments
jcgl 69 days ago
I don't see how this generalizes into a security hole caused be lack of IPv6 knowledge. It just sounds like a random bug in Snapcast (great program!). If a user configures a program to only bind to loopback, but the program binds to other interfaces as well, that's a bug in the program.
link
QuercusMax 69 days ago
There are sure to be dozens or hundreds of vulnerabilities like this, that's what I'm saying. I'm not even sure it's a bug in snapcast - very possible I configured it wrong without realizing.
link
jcgl 69 days ago
Without knowing exactly what happened here, it could be hundreds, dozens, or zero other such vulnerabilities.

The usual convention for configuring listening interfaces usually involves listing IP addresses or interface names. There's very little room for misconfiguration here, although it's possible. More likely to be a bug in Snapcast (it's almost certainly not an issue in the Linux kernel).

Moreover, this general problem (i.e. configuring listening interfaces) is not/should not be different between IPv4 and IPv6. So introducing IPv6 should notâ„¢ incur any additional risk at this level.

But as said, it's hard to get more concrete without knowing exactly what happened in your case.

link
jeroenhd 69 days ago
Localhost doesn't appear on autodiscovery. Whatever you ran into had nothing to do with IPv6, but rather with your application not binding to the address you were telling it to bind to. On IPv6, localhost binds to ::1, not anything reachable by any other address. Furthermore, whatever you set up automatically seems to have added itself to your server's firewall, which is equally troubling.
link
QuercusMax 69 days ago
The address my clients were finding automatically was a link-local address (fe80...). Can't say exactly what happened but it was very surprising since I didn't even know these addresses existed.

I'm sure it's totally my fault but that's the point: folks who know how ipv4 works may have huge blind spots for ipv6.

link