On Mon, 2005-06-27 at 18:00 +0200, Julian Mehnle wrote:
<SNIP>
Now what Shevek and I have come up with is that it is probably best for
implementations that support IPv6 to _always_ operate on IPv6 addresses
internally, i.e. to convert any IPv4 addresses to IPv4-mapped IPv6 ones.
For instance, an incoming IPv4 connection from the address 1.2.3.4 would
be converted to ::ffff:1.2.3.4 (AKA 0:0:0:0:0:ffff:0102:0304).
*DON'T* even think about doing that.
IPv4 should be handled as IPv4 and IPv6 as IPv6. The extremely annoying
compatibility address (::ffff:a.b.c.d) and mapped address (::a.b.c.d)
should *always* be stripped to simply be a.b.c.d. Also always concert
results from getaddrinfo(), when eg returned from getpeeraddr() into a
IPv4 version and handle it as IPv4 when you get either mapped or compat
addresses.
Yes, this is annoying to add a special bloody case (blame those people
who thought it was useful, it was, but not long), but it does save a lot
of issues later on.
Funny example:
you have an ACL containing: "not a.b.c.d", but your code has internally
IPv6 representations of everything, thus the above ACL does not match
and the thing passes on, basically avoiding your ACL. Debug that when
you have a huge system.
Greets,
Jeroen
PS: I asked before if all implementations where IPv6 safe, the answer
was supposed to be yes, but it looks very likely to be a big nono.... :(
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
signature.asc
Description: This is a digitally signed message part