[jboss-jira] [JBoss JIRA] (AS7-4509) CLONE - Server start without any problem or message even specification of IP address(-s) is ambiguous

Richard Achmatowicz (JIRA) jira-events at lists.jboss.org
Tue Apr 17 13:19:18 EDT 2012 

    [ https://issues.jboss.org/browse/AS7-4509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12685028#comment-12685028 ] 

Richard Achmatowicz commented on AS7-4509:
------------------------------------------

Hmm, on the one hand, in RFC4007(http://www.ietf.org/rfc/rfc4007.txt), they indicate on page 8 that:

{noformat}
As well as initially assigning zone indices, as specified above, an
   implementation should automatically select a default zone for each
   scope for which there is more than one choice, to be used whenever an
   address is specified without a zone index (or with a zone index of
   zero).  For instance, in the example shown in Figure 2, the
   implementation might automatically select intf2 and link2 as the
   default zones for each of those two scopes.  (One possible selection
   algorithm is to choose the first zone that includes an interface
   other than the loopback interface as the default for each scope.)  A
   means must also be provided to assign the default zone for a scope
   manually, overriding any automatic assignment.
{noformat}

So I would expect that coding <link-local-address> or <link-local-address>%0 would pick up that default zoneid. 

On the other hand, on my machine ping6:
- doesn't allow me to make use of a link-local address without a zone id 
{noformat}
[nrla at lenovo ~]$ ping6 fe80::f2de:f1ff:fe40:75b9
connect: Invalid argument
[nrla at lenovo ~]$ ping6 -I eth0 fe80::f2de:f1ff:fe40:75b9
PING fe80::f2de:f1ff:fe40:75b9(fe80::f2de:f1ff:fe40:75b9) from fe80::f2de:f1ff:fe40:75b8 eth0: 56 data bytes
...
^C
--- fe80::f2de:f1ff:fe40:75b9 ping statistics ---
5 packets transmitted, 0 received, +4 errors, 100% packet loss, time 4000ms
[nrla at lenovo ~]$ ping6 fe80::f2de:f1ff:fe40:75b9%2
PING fe80::f2de:f1ff:fe40:75b9%2(fe80::f2de:f1ff:fe40:75b9) 56 data bytes
...
^C
--- fe80::f2de:f1ff:fe40:75b9%2 ping statistics ---
5 packets transmitted, 0 received, +4 errors, 100% packet loss, time 4000ms
{noformat}

- doesn't accept the %0 usage
{noformat}
[nrla at lenovo ~]$ ping6 fe80::f2de:f1ff:fe40:75b9%0
connect: Invalid argument
{noformat}




                
> CLONE - Server start without any problem or message even specification of IP address(-s) is ambiguous
> -----------------------------------------------------------------------------------------------------
>
>                 Key: AS7-4509
>                 URL: https://issues.jboss.org/browse/AS7-4509
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Domain Management
>    Affects Versions: 7.1.1.Final
>            Reporter: Pavel Janousek
>            Assignee: Brian Stansberry
>              Labels: eap6_ipv6
>             Fix For: 7.1.2.Final-redhat1
>
>
> In IPv6 world it is possible if two or more network interfaces has the same IPv6 address. It is legally and true especially in Link-local address scope.
> So if we configure 2 or more network interfaces with a manually defined IPv6 address (link-local prefix fe80::/10 is the best) and try to start-up EAP and do this like:{code}./standalone.sh -Djava.net.preferIPv4Stack=false -b=fe80::200:ff:fe00:5 -bmanagement=fe80::200:ff:fe00:5 -c standalone-full.xml{code}there isn't *any* warning message reported, nor any notice that this specification is ambiguous.
> I prefer in a such case to reject this specification as ambiguous (especially for the case - there is a risk of accidentally open EAP instance to the world), refuse start with error message and immediately exit. Although this situation has its roots in administrator mistake, it can became very hard risk of customer's data when it will be overseen for awhile. (*)
> (*) some case-studies report blind clear MS Windows station is attacked up to 10 minutes from it boot when is directly connected to unsecure Internet network without any firewall etc... my own personal experience is at least the same... - yes, it is dangerous to work in a such environment and situation on a Internet directly connected server host, but an admins really works like that...
> Anyway - the missed part of specification needed for correct set-up in this case is *zone id* identifier. When it is supplied, star-up is correct.
> Although this is really +edge case+ of using EAP and its configuration, it can accidentally expose customer's sensitive data so we should take it very carefully.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list