-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I already portrayed my final position on the "IP4 mapped IP6 connection"
controversy, but for fun I will reply to Stuart's "reasons why Julian's
position makes my head hurt" list. ;-)
Stuart D. Gathman wrote:
> Therefore, the BOTH AND position, while theoretically attractive from an
> IPv6 standpoint,
>
> 1) is incompatible with IP4 implementations that ignore IP6.
Agreed. However, old SPF implementations should not be "correct by defi-
nition". Rather, we worked on RFC 4408 to build a common formal ground
for existing implementations and clarify any ambiguities -- however,
unfortunately we obviously did NOT clarify some ambiguities (at least not
to a sufficient degree), and claiming that implementors resolving them
"the wrong way" were violating RFC 4408 is unjustified.
> 2) is logically inconsistent in matching ip6, but not fetching AAAA.
Theoretically yes, practically no. It is sufficiently unlikely that domain
owners would publish IPv4 addresses using AAAA records.
> 3) or else increases DOS amplification potential from 10 to 20 by
> fetching BOTH A AND AAAA.
Right, but no one says that should be done really.
> 4) goes against the language of the RFC, specifically the "Even if"
> phrase.
I disagree with the interpretation that the "Even if" wording implies
"[MUST still be considered an IPv4 address] _only_".
> 5) can't make the %{v} macro expand to BOTH 'in-addr' AND 'ip6'.
There is no need to. Just have it expand to "in-addr". Macro expansion is
about _output_ generation, not _input_ processing, so all that is really
needed is _some_ expansion form to be clearly and unambiguously specified.
This is a red herring and has nothing to do with the "should ip6: match
IPv4 addresses" issue.
> 6) has only one implementation and it was just completed this week.
That doesn't make it wrong.
> 7) seems to have only one proponent on SPF mailing lists.
As I said on #spf already, we are of course a democracy (sort of), and I
have no problem with being voted down on this issue. I still think my
position is more correct, though.
> The MUTUAL EXCUSION position, on the other hand,
>
> 1) is the plain reading of RFC4408
Says you. :-)
> 2) gives uniform SPF results for IP4 and IP6 senders.
I don't know what you mean.
> 3) gives uniform SPF results for IP4 only implementations that simply
> ignore ip6 (other than syntax checking) as well as IP6
> implementations.
See (1) of your first list above. Apart from that, I'd agree to a BCP
document recommending that domain owners do NOT publish "ip6:" with
IPv4-mapped IPv6 addresses or, generally, with the expectation that "ip6:"
is guaranteed to match IPv4 addresses. (That would be consistent with my
expectation that domain owners do not publish IPv4 addresses using AAAA
records.)
> 4) gives uniform SPF results for both IP4 and IP6 receivers.
The socket type should not play any role whatsoever with the SPF
implementation. I never suggested anything to such an effect.
> 5) makes mechanisms like "ip6:::FFFF:1.2.3.4" officially a noop, so
> that publishers have no reason to use them - thereby avoiding
> problems with the implementation that insists on the BOTH AND
> position. (And thus should be acceptable to the COMPROMISE position.)
Silent no-ops are a very bad thing (unless they're called "noop"). If we
wanted to disallow "ip6:::ffff:n.n.n.n" & Co., those cases should at least
throw a PermError.
> 6) is easy to implement by simply changing ip4 mapped ip6 connections to
> ip4 before evaluating (per the plain reading of the RFC
> instructions).
True. However, it also happens to be true that the BOTH AND position is
easy to implement if you use only IPv6 addresses internally by converting
IPv4 addresses to IPv4-mapped IPv6 addresses before evaluating, which is
generally equivalent to the implementation design suggested by the RFC.
(I still have to check "everywhere" for whether an IPv6 address at hand is
an IPv4-mapped one, though, so having to do it in one more place ("ip6:"
matching) certainly cannot be, and never was, the motivation for this
thread.)
Now, wrapping all this up, I'll say again that I have no problem with being
voted down on this issue.
EOT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFbvCXwL7PKlBZWjsRAt98AJ4285c5xt4B7dm39/FvdZNpUIJ3twCg4pNq
CwCT1DCXI5oAN3PJ0LCen+Y=
=Jz9n
-----END PGP SIGNATURE-----
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to
http://v2.listbox.com/member/?list_id=1007