[146551] in cryptography@c2.net mail archive
Re: [Cryptography] IPv6 and IPSEC
daemon@ATHENA.MIT.EDU (Bill Stewart)
Tue Sep 3 23:39:37 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 03 Sep 2013 18:09:15 -0700
To: Cryptography List <cryptography@metzdowd.com>
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <CAGZkp18tkN8r4+T789qrgXOcjcST3OqYAbSaTeM6Q4gfNMt+Cg@mail.g
mail.com>
Cc: Lucky Green <shamrock@cypherpunks.to>,
Phillip Hallam-Baker <hallam@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
At 01:53 PM 8/29/2013, Taral wrote:
>Oh, wait. I misread the requirement. This is a pretty normal
>requirement -- your reverse DNS has to be valid. So if you are
>3ffe::2, and that reverses to abc.example.com, then abc.example.com
>better resolve to 3ffe::2.
For IPv4, that's a relatively normal way to do things,
though if example.com is commercial,
smtp.example.com might actually be a load-balanced bunch of servers
in xx.yy.zz.0/24
instead of just one machine, or they might be hidden behind NAT.
But with IPv6 privacy extensions, a single machine might be using
pseudorandomly-generated addresses in a /64 subnet,
so you'd have to do some kind of wildcarding to represent it as a single name.
Also, "residential" vs. "commercial" is a much fuzzier boundary for IPv6;
an IPv6 machine might be a VM tunnelling to Hurricane Electric over IPv4,
or tunnelled from a residence to a DSL ISP that can only do telco DSL at IPv4.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
