Details
-
Bug
-
Resolution: Done
-
Major
-
7.1.1.Final
Description
In IPv6 world it is possible if two or more network interfaces has the same IPv6 address. It is legally and true especially in Link-local address scope.
So if we configure 2 or more network interfaces with a manually defined IPv6 address (link-local prefix fe80::/10 is the best) and try to start-up EAP and do this like:
./standalone.sh -Djava.net.preferIPv4Stack=false -b=fe80::200:ff:fe00:5 -bmanagement=fe80::200:ff:fe00:5 -c standalone-full.xml
there isn't any warning message reported, nor any notice that this specification is ambiguous.
I prefer in a such case to reject this specification as ambiguous (especially for the case - there is a risk of accidentally open EAP instance to the world), refuse start with error message and immediately exit. Although this situation has its roots in administrator mistake, it can became very hard risk of customer's data when it will be overseen for awhile. 
some case-studies report blind clear MS Windows station is attacked up to 10 minutes from it boot when is directly connected to unsecure Internet network without any firewall etc... my own personal experience is at least the same... - yes, it is dangerous to work in a such environment and situation on a Internet directly connected server host, but an admins really works like that...
Anyway - the missed part of specification needed for correct set-up in this case is zone id identifier. When it is supplied, star-up is correct.
Although this is really edge case of using EAP and its configuration, it can accidentally expose customer's sensitive data so we should take it very carefully.
Attachments
Issue Links
- blocks
-
-
- Closed
-
