Ipv6 for the content provider

Owen DeLong owen at delong.com
Wed Jan 26 18:49:33 CST 2011


On Jan 26, 2011, at 3:13 PM, Valdis.Kletnieks at vt.edu wrote:

> On Wed, 26 Jan 2011 12:56:01 -1000, Antonio Querubin said:
>> On Wed, 26 Jan 2011, Owen DeLong wrote:
>> 
>>>> Listen a.b.c.d:80         ->  Listen 80
>>>> <Virtualhost a.b.c.d:80>  ->  <Virtualhost *:80>
>>>> 
>>> That only works if you have only one address on the machine and.
>> 
>> Actually it works fine on machines with multiple IP addresses for both 
>> FreeBSD and CentOS.  And IPv6 enabled servers can easily have multiple 
>> IPv6 addresses.
> 
> What Owen meant was that if you expect it to answer *only* for a.b.c.d:80,
> and *not* to answer for other addresses/interfaces, you may be in for a
> surprise (consider a DMZ host where you have:
> 
> outside world -  128.257.12.2
> inside facing - 192.168.149.149
> 
> VirtualHost 198.168.149.149:80 # super-sekrit corporate internal site
> 
> Changing that VirtualHost to *:80 will probably cause some grief. ;)

Exactly... That is one of MANY examples of the kind of potential
for abuse I was attempting to describe.

Admittedly, if you put your Super-sekrit corporate internal site on a
DMZ host, you arguably deserve what happens, but...

Owen





More information about the NANOG mailing list