IPv6: Why are IPv4-mapped addresses a security risk?

Question

The OpenBSD manual states:

For security reasons, OpenBSD does not route IPv4 traffic to an AF_INET6 socket, and does not support IPv4 mapped addresses, where IPv4 traffic is seen as if it comes from an IPv6 address like ::ffff:10.1.1.1. Where both IPv4 and IPv6 traffic need to be accepted, listen on two sockets.

However, there is no explanation concerning these "security reasons." What are they? I can't think of any security problems related to that mapping.

Answer 1

I don't know specifically what motivation OpenBSD used, but I know of at least one problem that can be a security concern, namely ACLs and specifically black lists.

Ponder that you have an incoming connection from 10.1.1.1. This address is blacklisted in your ACL, and thus you refuse the connection. But if you're using a mapped address, it will instead appear to come from ::ffff:10.1.1.1. Your blacklist might not be able to catch this and might let the connection through.

This can be solved with application logic, and since using a single socket might simplify the code, I personally believe OpenBSD's decision is unfortunate. It's possible to default v4mapped to off but allow it to be enabled via setsockopt.

They might have had more concerns though that I'm not aware of.

Answer 2

As far as I know the main reason is to keep the IPv4 and IPv6 stacks separate. It's the hacks necessary to handle packets coming in on one stack but being handled by the other that cause the security risks.