because of the difference in http server in handling IPv4 mapped address (IPv4 traffic goes into the system into AF_INET6 socket), the peer's address passed by $REMOTE_ADDR to CGI script can vary between the http server. some http server would pass IPv4 mapped address as is (::ffff:10.1.1.1), and some http server would pass IPv4 mapped address converted into IPv4 address (10.1.1.1). this complexity could confuse CGI program writers and could open up vulnerability if CGI program uses $REMOTE_ADDR for authentication. solution: do not accept IPv4 traffic by using AF_INET6 socket. use AF_INET socket (http server should listen to AF_INET and AF_INET6 socket explicitly). draft-cmetz-v6ops-v4mapped-api-harmful-01.txt talks more about this issue. itojun
