Handling IPv4 using IPv6
Contents
Handling IPv4 by an IPv6-only Application
I was surprised to find out that my Apache web server was not listening to IPv4 addresses on my server, but at the same time still serving requests to its IPv4 address.
Telltales
# netstat -l -f inet ; netstat -l -f inet6 Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 145.99.1.69:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:40150 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::53 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::443 :::* LISTEN
# lsof -n | grep apache | grep LISTEN COMMAND PID USER FD TYPE NAME apache2 7443 www-data 4u IPv6 TCP *:www (LISTEN) apache2 7443 www-data 6u IPv6 TCP *:https (LISTEN) apache2 7445 www-data 4u IPv6 TCP *:www (LISTEN) apache2 7445 www-data 6u IPv6 TCP *:https (LISTEN) apache2 7446 www-data 4u IPv6 TCP *:www (LISTEN) apache2 7446 www-data 6u IPv6 TCP *:https (LISTEN)
# tcpdump 10:47:13.410355 IP client.example.org.57798 > www.example.nl.www: S 2868586753:2868586753(0) win 65535 <mss 1452,nop,wscale 3,nop,nop,timestamp 505229578 0,sackOK,eol> 10:47:13.410498 IP www.example.nl.www > client.example.org.57798: S 2583941767:2583941767(0) ack 2868586754 win 5792 <mss 1460,sackOK,timestamp 4202865811 505229578,nop,wscale 5> 10:47:13.427075 IP client.example.org.57798 > www.example.nl.www: . ack 1 win 65535 <nop,nop,timestamp 505229578 4202865811> 10:47:13.428135 IP client.example.org.57798 > www.example.nl.www: P 1:725(724) ack 1 win 65535 <nop,nop,timestamp 505229578 4202865811> 10:47:13.428226 IP www.example.nl.www > client.example.org.57798: . ack 725 win 227 <nop,nop,timestamp 4202865816 505229578> 10:47:13.431067 IP www.example.nl.www > client.example.org.57798: P 1:351(350) ack 725 win 227 <nop,nop,timestamp 4202865816 505229578> 10:47:13.450924 IP client.example.org.57798 > www.example.nl.www: . ack 351 win 65535 <nop,nop,timestamp 505229578 4202865816> 10:47:28.435177 IP www.example.nl.www > client.example.org.57798: F 351:351(0) ack 725 win 227 <nop,nop,timestamp 4202869568 505229578> 10:47:28.452306 IP client.example.org.57798 > www.example.nl.www: . ack 352 win 65535 <nop,nop,timestamp 505229728 4202869568>
Explanation
The reason is explained at Apache Binding: Special IPv6 Considerations:
Handling IPv4 connections with an IPv6 socket uses IPv4-mapped IPv6 addresses, which are allowed by default on most platforms but are disallowed by default on FreeBSD, NetBSD, and OpenBSD [...]
This feature can be changed in Apache at compile time using the --enable-v4-mapped or --disable-v4-mapped configure option.
IPv4-Mapped Addresses
IPv4-mapped addresses are described in RFC4038:
Most implementations of dual stack allow IPv6-only applications to interoperate with both IPv4 and IPv6 nodes. IPv4 packets going to IPv6 applications on a dual-stack node reach their destination because their addresses are mapped by using IPv4-mapped IPv6 addresses: the IPv6 address ::FFFF:x.y.z.w represents the IPv4 address x.y.z.w.
+----------------------------------------------+ | +------------------------------------------+ | | | | | | | IPv6-only applications | | | | | | | +------------------------------------------+ | | | | | +------------------------------------------+ | | | | | | | TCP / UDP / others (SCTP, DCCP, etc.) | | | | | | | +------------------------------------------+ | | IPv4-mapped | | IPv6 | | IPv6 addresses | | addresses | | +--------------------+ +-------------------+ | | | IPv4 | | IPv6 | | | +--------------------+ +-------------------+ | | IPv4 | | | | addresses | | | +--------------|-----------------|-------------+ | | IPv4 packets IPv6 packets