spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

A proposal for IPv6 addresses in SPF

2004-06-24 06:22:19
from [Stephane Bortzmeyer] [Permanent Link] 
Hello,

Since http://spf.pobox.com/mechanisms.html#ip6 invites to make IPv6
comments, let me try. This is a first proposal, I'm a beginner, and no
implementation has been attempted yet. But I have already received one
spam by IPv6 so it is better to try to address the issue.

[Between square brackets, comments and rationales.]

Proposal :

Add http://spf.pobox.com/mechanisms.html#aaaa, with the text:

All the AAAA records (RFC 3596) for domain are tested. If the client
IP is found among them, this mechanism matches.

If domain is not specified, the current-domain is used.

The AAAA records have to match the client IP exactly, unless a prefix
length is provided, in which case each IP address returned by the AAAA
lookup will be expanded to its corresponding prefix, and the client IP
will be sought within that prefix.

"v=spf1 aaaa -all"

    The current-domain is used.

"v=spf1 aaaa:example.com -all"

    Equivalent if the current-domain is example.com.

"v=spf1 aaaa:mailers.example.com -all"

    Perhaps example.com has chosen to explicitly list all the outbound
mailers in a special AAAA record under mailers.example.com.

"v=spf1 aaaa/48 a:offsite.example.com/64 -all"

    If example.com resolves to dead:beef:7::1, the entire prefix of
    dead:beef:7::/48 would be searched for the client IP. Similarly
    for offsite.example.com. If more than one AAAA record were
    returned, each one would be expanded to a prefix of 64 bits.

[Rationale: there is no easy way to retrieve both A and AAAA
records. Use your favorite search engine to find about the ADDR
proposed record type, why ANY is not suitable and how EDNS1 could help
in the future.

Also, when SPF starts, it already knows if the SMTP connection was
attempted with IPv4 or IPv6.]

In http://spf.pobox.com/mechanisms.html#ip6, replace cidr-spec with
prefix and modify the text to:

A prefix is an IP network range. If no prefix-length is given, /128 is
assumed. To help with greedy regexp engines, and since the character
after the mechanism is a ":", do note that the usual IPv6 separator
(RFC 3513, 2.2), ":", has been replaced by ";".

"v=spf1 ip6:dead;beef;7;;/48 -all"

    Allow any IP address between dead:beef:7:: and
dead:beef:7:ffff:ffff:ffff:ffff:ffff.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: spf-milter and memory, Koen Martens
Next by Date:  Re: Mechanism for Rejection of E-Mails, Jeffrey Goldberg
Previous by Thread:  Re: Distributed reputation system; GOSSIP, Jon Kyme
Next by Thread:  RE: A proposal for IPv6 addresses in SPF, Gary Levell
Indexes:  [Date] [Thread] [Top] [All Lists]