On Wednesday, April 24, 2013 04:56:33 PM Simon Perreault wrote: > Le 2013-04-24 16:26, Scott Kitterman a écrit : > > The case here is #2. In SPF there are various mechanisms that can be used > > in an SPF record to identify sources from which mail is authorized. Two > > of these mechanisms directly specify IP addresses. "ip4" is used to > > specify IPv4 addresses and "ip6" is used to specify IPv6 addresses > > (that's a design decision that was made in 2003, so it is what it is). > > > > The intent of the text was to communicate that if the SPF verification > > process (which could possibly be running in any internet networking > > environment you might think of) were presented with an IPv4-mapped IPv6 > > address, the correct way to check if that address is authorized is using > > the IPv4 part of the address to check against an "ip4" mechanism. > > > > I hope that clarifies the intent. > > Very clear. > > One problem I can think of: > > What is the effect of specifying IPv4-mapped IPv6 addresses in "ip6" SPF > data? Or through a AAAA DNS record that the SPF "ip6" process looks up? > If an SPF process that checks an IPv4-mapped IPv6 address uses > exclusively the "ip4" SPF data, then IPv4-mapped IPv6 addresses in "ip6" > data would be ignored. I would consider that surprising. For example, I > would expect an SPF rule producing ::ffff:0.0.0.0/96 to apply to all > IPv4-mapped IPv6 addresses, but it would simply get ignored. > > Generally you want to treat IPv4-mapped IPv6 addresses like regular, > opaque IPv6 addresses unless you have good and specific reasons not to > do so.
My initial thought is you should have put that in an "ip4" mechanism. Other way around (which is the concern that caused the text to be added) if the IPv4-mapped addresses are treated as IPv6 addresses, then senders who only used IPv4 might have to dual publish any IPv4 addresses in both "ip4" and "ip6" mechanisms. That's bad in many ways. The goal was to try and cover this case in a way that it was clear that this was the reciever's problem to sort out and the sender didn't have to double publish, just in case (I've seen people do this). Suggestions? Scott K -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
