On 12/16/10 9:38 AM, Matthias Leisi wrote:
On Thu, Dec 16, 2010 at 5:12 PM, Ian
Eiloart<iane(_at_)sussex(_dot_)ac(_dot_)uk> wrote:
Given that we already don't accept IPv6 connections, I think this is an
opportunity to draw a line in the sand. When we do eventually deploy IPv6,
it'll be on much stricter terms than now.
Yes, "default deny, allow from trusted/whitelisted/... sources"
instead of the current "default accept, deny from blacklisted, plus
some white/greylisting".
Agreed, but the white-listing should be by authenticated servers and
_not_ their IP address. v6 provides significant advantages when moving
services. If done right, there would be little effort in renumbering.
Dealing with umpteen address based white-listing services will prove
horrific when each service asserts different policies regarding updates
and points of contact where timely coordination would be impossible.
Efforts related to the keyassure wg appears headed in the right
direction, which might offer a DIY StartTLS solution for SMTP, for
example. Reputations could then accrue against certificate holders,
rather than addresses. The difference in the scale of acceptance data
would likely be in the area of millions to 1 smaller.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg