moby: EXPOSE and publish need to behave similarly with IPv4 and IPv6 [Security design failure]
Right now, the following appears to be the current situation given docker’s current state of implementation:
When using IPv4: (EDIT: Apparently an INCORRECT statement: Only ports EXPOSE’d are reachable by any other containers. This means random small programs inadvertently opening ports in a container aren’t much of a problem. - Correction: EXPOSE only adds metadata, and ports are reachable anyway if you really want to even when not exposed) Only ports -p/–publish’d are reachable by the outside world. This means any containers having unsecured plain text and possibly password-lacking backends that is not EXPOSE’d is safely protected and cannot be reached directly in the outside world.
When enabling IPv6 support:
Suddenly, any sort of [::0] listen on any container is immediately reachable from everywhere in the world. (correct me if this is wrong. I hadn’t had the chance to test this myself because of IPv6 configuration problems by my hosting provider, so I’ve had to rely on information provided by other docker users and developers. If I’m putting a factually incorrect statement out with this I’m sorry and I’ll be happy to immediately retract this ticket)
This behavior difference is absolutely insane. It needs to be changed. You are asking for users to get into trouble.
To make a more constructive remark: one solution would be to introduce an explicit docker run switch to make a container with opt-in behavior globally reachable, and in absence of the switches docker should default to writing ip table rules to drop all incoming connections to any containers’ global IPv6 addresses for non-published ports.
About this issue
- Original URL
- State: open
- Created 8 years ago
- Reactions: 4
- Comments: 19 (2 by maintainers)
You don’t get to have it both ways: either you need IPv6, in which case you use IPv6, or you don’t need IPv6, in which case you use IPv4. Trying to use IPv6 like it’s IPv4 is pointless – you have a protocol that behaves like IPv4 already – IT’S CALLED IPv4!
@mpalmer I don’t know why we are having this discussion. It should be obvious that IPv4 is being faded out, no? It isn’t that unreasonable to assume that at some point not that far into the future IPv4-only will be useless, at least if you want to connect to the internet. For some odd reason you seem to assume people only enable IPv6 for different features but some of us just want services to remain reachable in a changing world. (and therefore are worried docker supports this use case only “meh” out-of-the-box)
Anyway, we’re going in circles so it’s probably best if I stop.
I’ve created docker-ipv6nat to address this issue. It makes Docker IPv6 behave just like IPv4; give containers non-routable IPv6 addresses, use published ports to open up services to the outside world, get correct IPv6 source addresses within your containers. It all works just as you know/expect from IPv4.
Just a practical solution until Docker will have proper support for IPv6 with published ports.