[Cryptography] IPv6 and IPSEC

Lucky Green shamrock at cypherpunks.to
Tue Sep 3 23:54:17 EDT 2013


On Tue, Sep 03, 2013 at 06:09:15PM -0700, Bill Stewart wrote:
> For IPv4, that's a relatively normal way to do things,
> though if example.com is commercial,
> smtp.example.com might actually be a load-balanced bunch of servers
> in xx.yy.zz.0/24
> instead of just one machine, or they might be hidden behind NAT.
> 
> But with IPv6 privacy extensions, a single machine might be using
> pseudorandomly-generated addresses in a /64 subnet,
> so you'd have to do some kind of wildcarding to represent it as a single name.
> Also, "residential" vs. "commercial" is a much fuzzier boundary for IPv6;
> an IPv6 machine might be a VM tunnelling to Hurricane Electric over IPv4,
> or tunnelled from a residence to a DSL ISP that can only do telco DSL at IPv4.

Friends,
Here is the bottom line. PHB suggested to use IPv6 as part of a local email encryption solution. I observed that as of two weeks ago, I am unable to send emails via IPv6 to Gmail addresses. Actually, it is worse than that. I am unable to send email via IPv6 to any email address hosted by Google, which are far more email addresses in my address book than emails that end in @gmail.com.

In its cryptic explanation of the bounces, Google makes one thing clear: whatever 
reason they have to bounce the email, that reason only applies to IPv6. I believe 
this is wrong.

Trying to determine the reason for the SMTP 5xx error, given the cryptic 
explanation in Google's FAQ, I /believe/ they want the forward and RDNS to match. 
Perhaps I misunderstood the poorly worded explanation.

But this does not change the bottom line: I am no longer able to send email via 
IPv6 to Google SMTP servers. Not from home, where I have a tunnel via my DSL 
provider. Not from my server in the colo, which is in a different continent and 
where I have a full /48.

I can't be the only one with this problem given Google's policy change a couple of 
weeks ago. Over 95% off my traffic used to flow over IPv6. Since the Google policy change, 
0% of my SMTP traffic flows over IPv6. I had no choice but to disable IPv6 in 
postfix.

I have no clue what would make Google happy? Matching forward and RDNS? I can't even get that for IPv4. Not at the colo, not at home. Something else? I do not know what that would be, but I am pretty sure whatever it is I cannot bring about.

If nothing else comes out of this thread, if any reader happens to know somebody at Google, perhaps you can convince them to articulate clearly what DNS properties they demand for IPv6 (but not IPv4) that will cause Gmail to again accept SMTP over IPv6.

The irony here is that I have been using IPv6 for years without any problems. Companies such as Google have paved the way for solid IPv6 support by large providers. Never had any problem. And now Google decides to break IPv6 with no clear explanation why or how to remedy the situation.

Flat out of ideas,
--Lucky


More information about the cryptography mailing list