spf-discuss
[Top] [All Lists]

Re: IPv4/IPv6 address handling in the SPF specification

2005-06-28 04:24:56
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeroen Massar wrote:
Julian Mehnle wrote:
Now what Shevek and I have come up with is that it is probably best
for implementations that support IPv6 to _always_ operate on IPv6
addresses internally, i.e. to convert any IPv4 addresses to
IPv4-mapped IPv6 ones. For instance, an incoming IPv4 connection from
the address 1.2.3.4 would be converted to ::ffff:1.2.3.4 (AKA
0:0:0:0:0:ffff:0102:0304).

*DON'T* even think about doing that.

This is what the new upcoming Mail::SPF will actually be doing.

IPv4 should be handled as IPv4 and IPv6 as IPv6. The extremely annoying
compatibility address (::ffff:a.b.c.d) and mapped address (::a.b.c.d)

(It's the other way round, BTW.  ::ffff:n.n.n.n are "mapped" addresses,
::n.n.n.n are "compatibility" addresses.)

[...]
Yes, this is annoying to add a special bloody case (blame those people
who thought it was useful, it was, but not long), but it does save a lot
of issues later on.

Funny example:
you have an ACL containing: "not a.b.c.d", but your code has internally
IPv6 representations of everything, thus the above ACL does not match
and the thing passes on, basically avoiding your ACL. Debug that when
you have a huge system.

This is actually a bug in the ACL implementation you're talking about.
::ffff:n.n.n.n addresses should always be treated as IPv4 addresses, so any 
textual matching routines should match ::ffff:n.n.n.n the same as n.n.n.n 
(and that's pretty easy, too).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCwTOIwL7PKlBZWjsRAnOEAJwOja2C8CJ2xZ8JT+MwYphLjN24yACgtlqs
flv1meNSxjwkbPdRKBcj+Qw=
=Yzqc
-----END PGP SIGNATURE-----