Using IPV6_PROTECTION_LEVEL (Compact 2013)
3/26/2014
The IPV6_PROTECTION_LEVEL socket option enables developers to place access restrictions on IPv6 sockets. Such restrictions enable an application running on a private LAN to simply and robustly harden itself against external attacks. The IPV6_PROTECTION_LEVEL socket option widens or narrows the scope of a listening socket, enabling unrestricted access from public and private users when appropriate, or restricting access only to the same site, as required.
IPV6_PROTECTION_LEVEL currently has three defined protection levels:
Protection level |
Description |
---|---|
PROTECTION_LEVEL_RESTRICTED |
Used by intranet applications that do not implement Internet scenarios. These applications are generally not tested or hardened against Internet-style attacks. |
PROTECTION_LEVEL_DEFAULT |
The default socket protection level. |
PROTECTION_LEVEL_UNRESTRICTED |
Used by applications designed to operate across the Internet, including applications taking advantage of IPv6 NAT traversal capabilities built into Windows. These applications may bypass IPv4 firewalls, so applications must be hardened against Internet attacks directed at the opened port. |
The following code example provides the defined values for each:
#define PROTECTION_LEVEL_RESTRICTED 10 /* for Intranet apps /*
#define PROTECTION_LEVEL_DEFAULT 20 /* default level /*
#define PROTECTION_LEVEL_UNRESTRICTED 30 /* for peer-to-peer apps /*
These values are mutually exclusive, and cannot be combined in a single setsockopt function call. Other values for this socket option are reserved. These protection levels apply only to incoming connections; setting this socket option has no affect on outbound packets or connections.
Note
IPV6_PROTECTION_LEVEL socket option should be set before the socket is bound. Otherwise, packets received between bind and setsockopt calls will conform to PROTECTION_LEVEL_DEFAULT, and may be delivered to the application.
The following table describes the effect of applying each protection level to a listening socket. Incoming traffic is permitted for these protection levels.
Protection level |
Same site |
External |
NAT traversal |
---|---|---|---|
PROTECTION_LEVEL_RESTRICTED |
Yes |
No |
No |
PROTECTION_LEVEL_DEFAULT |
Yes |
Yes |
No |
PROTECTION_LEVEL_UNRESTRICTED |
Yes |
Yes |
OK |
In the table above, the Same site column is a combination of the following:
- Link local addresses
- Global addresses known to belong to the same site (matching the site prefix table)
When incoming packets or connections are refused due to the set protection level, rejection is handled as if no application was listening on that socket.