Using IPV6_PROTECTION_LEVEL

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

The IPV6_PROTECTION_LEVEL socket option enables developers to place access restrictions on IPv6 sockets. Such restrictions enable an application running on a private LAN to simply and robustly harden itself against external attacks. The IPV6_PROTECTION_LEVEL socket option widens or narrows the scope of a listening socket, enabling unrestricted access from public and private users when appropriate, or restricting access only to the same site, as required.

IPV6_PROTECTION_LEVEL currently has three defined protection levels:

Protection level Description

PROTECTION_LEVEL_RESTRICTED

Used by intranet applications that do not implement Internet scenarios. These applications are generally not tested or hardened against Internet-style attacks.

PROTECTION_LEVEL_DEFAULT

The default socket protection level.

PROTECTION_LEVEL_UNRESTRICTED

Used by applications designed to operate across the Internet, including applications taking advantage of IPv6 NAT traversal capabilities built into Windows. These applications may bypass IPv4 firewalls, so applications must be hardened against Internet attacks directed at the opened port.

The following code example provides the defined values for each:

#define PROTECTION_LEVEL_RESTRICTED    10  /* for Intranet apps      /*
#define PROTECTION_LEVEL_DEFAULT       20  /* default level          /*
#define PROTECTION_LEVEL_UNRESTRICTED  30  /* for peer-to-peer apps  /*

These values are mutually exclusive, and cannot be combined in a single setsockopt function call. Other values for this socket option are reserved. These protection levels apply only to incoming connections; setting this socket option has no affect on outbound packets or connections.

Note

IPV6_PROTECTION_LEVEL socket option should be set before the socket is bound. Otherwise, packets received between bind and setsockopt calls will conform to PROTECTION_LEVEL_DEFAULT, and may be delivered to the application.

The following table describes the effect of applying each protection level to a listening socket. Incoming traffic is permitted for these protection levels.

Protection level Same site External NAT traversal (Teredo)

PROTECTION_LEVEL_RESTRICTED

Yes

No

No

PROTECTION_LEVEL_DEFAULT

Yes

Yes

No

PROTECTION_LEVEL_UNRESTRICTED

Yes

Yes

OK

In the table above, the Same site column is a combination of the following:

  • Link local addresses
  • Global addresses known to belong to the same site (matching the site prefix table)

When incoming packets or connections are refused due to the set protection level, rejection is handled as if no application was listening on that socket.

See Also

Concepts

IPPROTO_IPV6
Socket Options