spf-discuss
[Top] [All Lists]

Re: IPv4/IPv6 address handling in the SPF specification

2005-06-28 03:16:10
On Mon, 2005-06-27 at 18:00 +0200, Julian Mehnle wrote:
<SNIP>
Now what Shevek and I have come up with is that it is probably best for 
implementations that support IPv6 to _always_ operate on IPv6 addresses 
internally, i.e. to convert any IPv4 addresses to IPv4-mapped IPv6 ones.  
For instance, an incoming IPv4 connection from the address 1.2.3.4 would 
be converted to ::ffff:1.2.3.4 (AKA 0:0:0:0:0:ffff:0102:0304).

*DON'T* even think about doing that.

IPv4 should be handled as IPv4 and IPv6 as IPv6. The extremely annoying
compatibility address (::ffff:a.b.c.d) and mapped address (::a.b.c.d)
should *always* be stripped to simply be a.b.c.d. Also always concert
results from getaddrinfo(), when eg returned from getpeeraddr() into a
IPv4 version and handle it as IPv4 when you get either mapped or compat
addresses.

Yes, this is annoying to add a special bloody case (blame those people
who thought it was useful, it was, but not long), but it does save a lot
of issues later on.

Funny example:
you have an ACL containing: "not a.b.c.d", but your code has internally
IPv6 representations of everything, thus the above ACL does not match
and the thing passes on, basically avoiding your ACL. Debug that when
you have a huge system.

Greets,
 Jeroen

PS: I asked before if all implementations where IPv6 safe, the answer
was supposed to be yes, but it looks very likely to be a big nono.... :(

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

Attachment: signature.asc
Description: This is a digitally signed message part