eBPF Mystery: When is IPv4 not IPv4? When it's pretending to be IPv6

https://blog.gripdev.xyz/2025/05/06/ebpf-mystery-when-is-ipv4-not-ipv4-when-its-ipv6/

80•tanelpoder•10h ago

Comments

degamad•9h ago

I think of that as the opposite - an IPv6 socket pretending to be IPv4 in order to route to an IPv4 endpoint.

ignoramous•3h ago

Depends on the vantage point: For a firewall that's ip4 hiding in ip6. For a router, that's ip6 accomodating ip4.

smitty1e•9h ago

In a similar fashion, I once saw a python script that called out to a one-page C program that read a .csv dump (probably from SQLServer) and blew away the upper byte of each character, demoting it to ASCII.

Once I understood what was afoot, I was sad that someone had worked so hard when python's open() call supports an 'encoding' argument for just these occasions.

bouke•9h ago

Reminds me of a time where someone stored the md5 hash of a password as a string by throwing away all non-ascii bytes; so roughly half the bytes.

o11c•8h ago

I've seen something similar, but it depended on whether plain `char` is signed or unsigned, which is highly platform-dependent.

spiritplumber•8h ago

that's the first thing i ever uploaded anywhere! fixtxt.exe on simtel.net

imoverclocked•7h ago

If you think that's wild, just wait until you learn about 6to4 [1] (not to be confused with 6over4 [2] ...)

TL;DR: Given a globally unique IPv4 address, you can create automatic tunneling IPv6 networks with the IPv4 address embedded into the IPv6 address space.

[1] https://en.wikipedia.org/wiki/6to4

[2] https://en.wikipedia.org/wiki/6over4

Sesse__•6h ago

And for a short while, it was the most common use of IPv6 on the public Internet! Now largely dead and gone.

zzq1015•5h ago

It's a mess when you learn there are also 6in4, 6rd and teredo...

jeroenhd•4h ago

Out of all of those, 6rd is actually a success, though 6rd is built on top of 6to4. Funnily enough, the first ISP to apply 6rd has actually inverted its network and is now using 4rd to provide IPv4 to some of its customers.

Not just that, but also 4in6 (IPv4 in modern networks) and 4over6 (an extension to DS-Lite), and don't forget 6in4 being called SIT in an early draft, followed by SIIT being used in another protocol with a similar purpose (though that's more of a "Linux kept the old name around while everyone else moved on" problem).

Like most actually-used transition mechanisms, 6rd the result of someone inventing a transition strategy for a very specific use case, a company with that use case actually using that solution, and followed by standardization for good measure.

6to4 has been disabled for a few in Windows and has been disabled by default in Windows 11 since release, so in practice you probably won't see it outside of legacy networks and the routing systems designed to support 6rd or legacy networks.

Teredo was a weird Microsoft thing (like so many other network protocols) that could've replaced stupid shit like STUN and TURN had it been used. I'm pretty sure only Microsoft ever bothered to host Teredo servers to the mainstream. It would've been nice to live in a world where STUN and TURN worked for any protocol without having to set up your own servers rather than just supporting UDP and the server of an ad company (like we use today).

6in4 was a naive attempt at making the transition to IPv6 possible in the very early days (1996). It's the response to all of the "what if we just added a bunch of bits to IPv4" suggestion, and it turns out that nobody who says that actually seriously cares about supporting IPv6.

gitroom•7h ago

pretty cool seeing all the stuff people do to make networks talk, honestly makes me wonder - you think stuff like this sticks around because of habit or just taking shortcuts sometimes

dilfish•6h ago

I learnt this when using net.ListenTCP in Go, if you use lsof to show the network type, it would be IPv6. But it could also handle IPv4 requests.

IcePic•6h ago

I think OpenBSD (and other OSes) that do not allow v4 on v6 sockets might be on to something. It was felt convenient for application programmers to only have to listen to one socket for two protocols, but then code after needs to make very sure they know how to handle both families in the correct way for logging and so on, and now much later on it confuses someone that has to dig very deep into why the v4-box talks v4 without using v4.

Could be an indication that in the long run, just forcing applications that need both protocols to have separation so you are sure of what they are doing was the correct choice.

nsteel•3h ago

In my personal experience, OpenBSD going against the RFC and being different to everyone else has made more headaches for me.

eqvinox•3h ago

> OpenBSD (and other OSes)

are there actually other OSes doing this?

(- by default?)

zzq1015•5h ago

For Linux, there's a kernel setting for that.

Just run

  sysctl -w net.ipv6.bindv6only=1

so IPv6 will not include IPv4-mapped addresses.

https://www.kernel.org/doc/Documentation/networking/ip-sysct...

majke•5h ago

usually better to set IPV6_V6ONLY in the application itself.

eqvinox•3h ago

This affects -to my best knowledge- only bind()ing, not outgoing connect()ing. As the name implies, really.

(I should try this, not entirely sure tbh.)

It won't help you though if the resolver library gives you a ::ffff:ma.p.p.ed address (yes they can do that), then you just fail to connect…

aaronmdjones•1h ago

I did try this. connect(2) with an IPv4-mapped IPv6 address on an AF_INET6 socket with IPV6_V6ONLY set on it fails.

Almondsetat•2h ago

>I thought I must have this wrong, surely you can’t just smash an ipv4 address in ipv6 field and magic happens?! Nope, didn’t have it wrong, that’s what happens. Linux supports this, and will go on to route the request as IPv4.

I mean... it's literally one of the officially defined unicast IPv6 address types. If you ever read the Wikipedia page to learn about what link-local, global unicast, etc. addresses are you surely would have seen it.

mfro•29m ago

Not everyone spends their days digging through networking specifications. I for one earned CCENT and CCNA certifications was entirely unaware of this mechanism.

French Power Price Plunges Below Zero as Solar Floods the Grid

System lets robots identify an object's properties through handling

Kids author Mo Willems and The Pigeon stare down the future in a new book

Simple Postgres to ClickHouse replication featuring MinIO

Measurements of molecular size and shape on a chip

Android 15 (Lineage Fork) Release for eInk Phone Hibreak Pro

You Can't Go Home Again

ALICE detects the conversion of lead into gold at the Large Hadron Collider

Apple Is Developing Specialized Chips for Glasses, New Macs and AI Servers

Updated rate limits for unauthenticated requests

NOAA says it will discontinue its billion-dollar disaster database

Pdf-segmented: Foreground segmentation with JBIG2 for improved PDF compression

Social Security Reform: Options to Raise Revenues

ClickHouse Data Cookbook: Aggregating Latest Values

"Yes, and " Urbanism

Arrow reborn: an all-Canadian EV aims to revolutionize industry

Users advised to review Oracle Java use as Big Red's year end approaches

Itter.sh – Micro-Blogging via Terminal

Show HN: ThotStream – An AI-Moderated Feed of Anonymous Human Thoughts

Conquering FidelityFX FSR4 – Enabling the Pretty Pixels on Linux

How common is independent discovery?

GDPR & Blockchain: At the intersection of data privacy and technology

Simultaneous Discoveries and Invention

Show HN: Hyper – Standards first React alternative

macOS Malware Development II

Ask HN: Monorepos for Data Engineers?

Dasung Paperlike 13K is a 13.3 inch E Ink color monitor

Wikidebates

Nintendo reserves the right to brick your console following "unauthorised use"

Honda Point Disaster