EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Automatic IPv6 vs IPv4 support

Posted: 03/29/2015 19:42:28
by Zoë Peterson (Priority Standard support level)
Joined: 05/24/2007
Posts: 23

Right now if you want to use IPv6 support in SBB (say, TElSimpleSSHClient), you must set UseIPv6 to true. To transparently handle both IPv4 and v6 connections, I'm creating a TElDNSSettings object, calling ResolveHostName(xxx, True), then checking the address family that's returned and setting UseIPv6 appropriately. Is that sufficient?

The Windows WSAConnectByName function, for example, converts the host name into a set of IP addresses and tries to connect to them in turn.


Web browsers do something similar with their "fast fallback" behavior.

Are there any plans to expand SBB with that behavior, is it unplanned but worth doing myself, or is it likely to be unnecessary? If I need to do it myself, would it be best to handle that outside SBB code, or as a patch to TElSimpleSSHClient or TElSocket?
Posted: 03/30/2015 02:52:29
by Alexander Ionov (Team)

Thank you for contacting us.

Actually it's supposed the SecureBlackbox components handle IPv6 addresses in automatic manner. I.e. the following scenario is used when you set IPv6 property to true:

  • Checks if IPv6 support available on the local system
  • Resolves target host name to get an IPv6 address
  • If both conditions apply, the component attempts to connect using IPv6 address, and in this case after successful connection its property UsingIPv6 will be True
  • If any of the conditions above does not apply, IPv4 address is used

If you set the LocalAddress property, this address determines which address family will be used for connection. I.e. if you assign a IPv4 address to this property, only IPv4 will be used to connect to the target host, even if all other conditions apply.

Please note, if the component fails to connect to host's IPv6 address, it does not attempt to connect to its IPv4 address but raises a connection error exception.

Best regards,
Alexander Ionov
Posted: 03/30/2015 09:18:01
by Zoë Peterson (Priority Standard support level)
Joined: 05/24/2007
Posts: 23

Thanks Alexander. If that's the case then why isn't UseIPv6 enabled by default?
Posted: 03/30/2015 13:51:53
by Alexander Ionov (Team)

We've implemented IPv6 support several years ago when these addresses were not very popular. So we disabled usage of IPv6 by default in order to make sure the developer knows what he or she does when enables IPv6 addresses.

Best regards,
Alexander Ionov
Posted: 10/12/2015 12:11:51
by Zoë Peterson (Priority Standard support level)
Joined: 05/24/2007
Posts: 23

We finally have customers using this in the wild, and I've confirmed that SecureBlackBox's IPv6 implementation doesn't work if there are connectivity issues.

We have IPv6 enabled on the internal network, so I have a link local IPv6 address, but only an IPv4 connection to the outside. On Windows "ftp.wireshark.org" will resolve to an IPv6 address anyway. Using the SimpleFTPSDemo, if I set UseIPv6 to true and try to connect to ftp.wireshark.org uses IPv6 and the connection fails immediately with WSAEHOSTUNREACH. I, or our customers, have also encountered WSAENETUNREACH and WSAEADDRNOTAVAIL.

It looks like this got added to the feature request list as:


The way that's worded is incorrect though. It should be trying to connect to multiple ones simultaneously, without waiting for a full read timeout on the first one. The behavior is covered by RFC 6555 (Happy Eyeballs: Success with Dual-Stack Hosts).

Windows implements a simpler version (RFC 3484) through WSAConnectByName. OS X has it implemented using CFSocketStream, but I don't think they have anything on a lower level aside from tweaks to how getaddrinfo sorts its return values. Firefox and Chrome have their own internal versions.

To expand on my questions from the original post:

1) Are there any plans to expand SBB with that behavior reasonably soon?

2) If I need to do it myself, would it be best to handle that outside SBB code, or through modifications to TElSocket (or something higher level)?

3) If I need to patch TElSocket, is there anything I can/should do to make such a patch more likely to be accepted upstream?
Posted: 10/12/2015 12:48:57
by Eugene Mayevski (Team)

As you can see, the question is not too popular among developers so there are no plans to implement anything unless someone is ready to pay for this development as a custom work.

You would need to do quite heavy modification of the socket class to have this stuff work. I am afraid that even for one platform the modification would require complete rewriting of several connection-related methods - you would need to allocate several sockets, start connecting with them, then check their state in a loop, and when some socket is connected, you must *properly* shutdown the rest of the sockets. This is a lot of work (maybe a week full-time).

Sincerely yours
Eugene Mayevski



Topic viewed 1726 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!