Re: PTR for IPv6 clients (Re: IPv6 NAT?)

Harald Alvestrand wrote:

Mark Andrews skrev:

You also don't want to do it as you would also need massive churn in
the DNS.

Microsoft gets this wrong as they don't register the privacy addresses
in the DNS which in turn causes services to be blocked because there
is no address in the DNS.

perhaps the advent of IPv6 will result in people finally (*finally*)
giving up on this sorry excuse for a security blanket? (calling it a
"mechanism" is too kind)

Or perhaps it'll just make people register wildcard records at the /64
level in ip6.arpa :-(

             Harald(_at_)162(_dot_)80-203-220(_dot_)nextgentel(_dot_)com (MY, 
what an useful
reverse map!)


Like a lot of things, "it depends".

For SMTP/SSH and for management-alike protocols requiring proper
reverse -> forward -> reverse mapping is IMHO a good thing.

Clients & servers using these protocols should be on stable & trackableaddresses. (of course you an set a low TTL etc, that is why one shouldalways log the name + IP, the more information the better). Withmanagement I mean for instance reverses on router IP addresses, as itmakes traceroute so much more informative, also reverses on servers etc.

For SSH you will most likely have firewall rules in place anyway. SMTPshould similarly only be allowed to clients that are in your clientlist. One doesn't have to require r->f->r if the client is in yourclient-list of course. Your server, which talks to other SMTP serversoutside of your control, should be on a stable IP and have functioningr->f->r. For SMTP the current track of mind is: no reverse, nocommunication. Which stops most of the spam already, as that client isclearly not configured correctly to do inter-domain SMTP.

For that matter anything that is 'stable' should (note should) IMHO havea proper r->f->r.


For any other protocol _requiring_ reverse is silly IMHO.
You don't need it for HTTP, you don't need it for BitTorrent etc.

Having reverse in those cases is nice, as it might give extrainformation (eg the remote is most likely dsl as it contains 'dsl' inthe reverse), but it is always a guess and might quite well be faked.

The biggest issue with the use of reverses tends to be with applicationswhich only lookup a reverse, but don't check if the r->f->r link iscomplete.


Greets,
 Jeroen

signature.asc
Description: OpenPGP digital signature

_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread]	Current Thread	[Next in Thread>
Re: IPv6 NAT?, (continued) Re: IPv6 NAT?, Mark Andrews Re: IPv6 NAT?, Rémi Després Re: IPv6 NAT?, Stephane Bortzmeyer Re: IPv6 NAT?, Rémi Després Re: IPv6 NAT?, Stephane Bortzmeyer Re: IPv6 NAT?, Rémi Després Re: IPv6 NAT?, Stephane Bortzmeyer Re: IPv6 NAT?, Rémi Després Re: IPv6 NAT?, Mark Andrews PTR for IPv6 clients (Re: IPv6 NAT?), Harald Alvestrand Re: PTR for IPv6 clients (Re: IPv6 NAT?), Jeroen Massar <= Re: PTR for IPv6 clients (Re: IPv6 NAT?), Harald Alvestrand Message not available Re: PTR for IPv6 clients (Re: IPv6 NAT?), Harald Alvestrand Re: PTR for IPv6 clients (Re: IPv6 NAT?), Rémi Després Re: PTR for IPv6 clients (Re: IPv6 NAT?), Harald Alvestrand Re: PTR for IPv6 clients (Re: IPv6 NAT?), Iljitsch van Beijnum Re: PTR for IPv6 clients (Re: IPv6 NAT?), Harald Alvestrand Re: PTR for IPv6 clients (Re: IPv6 NAT?), Rémi Després Message not available Re: PTR for IPv6 clients (Re: IPv6 NAT?), Iljitsch van Beijnum Re: PTR for IPv6 clients (Re: IPv6 NAT?), Rémi Després Re: PTR for IPv6 clients (Re: IPv6 NAT?), Rémi Després