[Top] [All Lists]

Re: clarification re 2821, s4.1.4

2002-08-17 14:08:35

on 8/17/2002 3:05 PM Arnt Gulbrandsen wrote:
That's not sufficient. If you want that wording, you have to detail what 
"postive" and "negative" mean.

Or remove it and leave it as "complete"

You may also want to explain the implications, for example for SMTP 
clients sitting behind NAT routers.

These demands strike me as being artificial.

Let me tell you a story. A few months back I made a typo while adding a
netblock range to my blacklist, and I ended up blocking something like 40
class A netblocks. By the arguments above, text permitting the use of
address ranges for policy decisions would need to be accompanied by "don't
make typos".

Are there valid reasons why an operator should not simply discard any
lookup which results in a negative answer? Absolutely. There are also
valid reasons for an operator within a specific network to do so. A closed
server might want to reject any connection which cannot be validated
through multiple means (including the EHLO identifier, the subsequent
address lookup, and a tierterary comparison to an X.509 subject), and a
failure of any of these could be considered valid for that site. Most of
us are just looking for something in between, such as refusing sessions
from site claiming to be me but which I know are not me. Asking me to
detail all of these is arbitrary to the point of seeming artificial.

Eric A. Hall                              
Internet Core Protocols