The IPV6_PROTECTION_LEVEL socket option enables developers to place access restrictions on IPv6 sockets. Such restrictions enable an application running on a private LAN to simply and robustly harden itself against external attacks. The IPV6_PROTECTION_LEVEL socket option widens or narrows the scope of a listening socket, enabling unrestricted access from public and private users when appropriate, or restricting access only to the same site, as required.

IPV6_PROTECTION_LEVEL currently has three defined protection levels:

The following code example provides the defined values for each:

	Copy Code
#define PROTECTION_LEVEL_RESTRICTED 10 /* for Intranet apps /* #define PROTECTION_LEVEL_DEFAULT 20 /* default level /* #define PROTECTION_LEVEL_UNRESTRICTED 30 /* for peer-to-peer apps /*

These values are mutually exclusive, and cannot be combined in a single setsockoptfunction call. Other values for this socket option are reserved. These protection levels apply only to incoming connections; setting this socket option has no affect on outbound packets or connections.

Note:
IPV6_PROTECTION_LEVEL socket option should be set before the socket is bound. Otherwise, packets received between bind and setsockoptcalls will conform to PROTECTION_LEVEL_DEFAULT, and may be delivered to the application.

The following table describes the effect of applying each protection level to a listening socket. Incoming traffic is permitted for these protection levels.

In the table above, the Same site column is a combination of the following:

• Link local addresses
  
  
• Global addresses known to belong to the same site (matching the site prefix table)
  
  

When incoming packets or connections are refused due to the set protection level, rejection is handled as if no application was listening on that socket.

See Also