[Cryptography] IPv6 and IPSEC

Lucky Green shamrock at cypherpunks.to
Wed Aug 28 15:08:05 EDT 2013 

On Wed, Aug 28, 2013 at 01:47:01PM -0400, Phill wrote:
> (This is the last week before school goes back which is stopping me getting to the big iron and my coding platform if folk are wondering where the code is).
> 
> 
> I had a discussion with some IETF types. Should I suggest a BOF in Vancouver? Maybe this is an IRTF effort rather than IETF. One thing that we maybe should face is IPR considerations and move what is becoming a design discussion to a list with an established IPR rubric like Note Well. In the past I have had whole standards efforts collapse because Microsoft or whoever objected to the IPR being possibly contaminated by being discussed in a forum without an IPR regime (though I suspect that was a pretext rather than a reason).
> 
> One question is whether we could make use of IPSEC and/or IPv6. Now I do not for an instant accept that we should make any proposal dependent on deployment of either. However IPv6 does have some very convenient characteristics for traffic analysis hardening. 
> 
> My view has always been that the proper approach to security is to have multiple layers so I would see IPSEC as being an addition to TLS and message layer security.

As of about 10 days ago, Gmail began rejecting incoming IPv6 SMTP traffic from IPv6 address for which the forward and reverse DNS do not match.

Since forward and reverse DNS will rarely match for IP addresses used by individuals rather than service providers, this change precludes home users of IPv6 from sending email to Gmail acccount.

So unless you never send email to Gmail users or control both forward and reverse DNS, IPv6 is (no longer) suitable for sending email.

Note that this new restriction imposed by Gmail only applies to IPv6 addresses, not IPv4 addresses. I had to disable IPv6 in postfix to continue to be able to send to Gmail.

Here is the error message:
<user_name_removed at gmail.com>: host gmail-smtp-in.l.google.com[2a00:1450:400c:c05::1b]
    said: 550-5.7.1 [2001:888:2133:0:82:94:251:205      16] Our system has
    detected that 550-5.7.1 this message does not meet IPv6 sending guidelines
    regarding PTR 550-5.7.1 records and authentication. Please review 550 5.7.1
    https://support.google.com/mail/answer/81126 for more information.
    x13si636989wij.49 - gsmtp (in reply to end of DATA command)

Google's support URL in the 550 error contains this gem:

"Additional guidelines for IPv6

The sending IP must have a PTR record (i.e., a reverse DNS of the sending IP) and it should match the IP obtained via the forward DNS resolution of the hostname specified in the PTR record. Otherwise, mail will be marked as spam or possibly rejected."

[The support URL then also talks about recommending SPF or DKIM, but enabling SPF does not stop the 550 errors]

--Lucky, who long ago IPv6-enabled every single system under his control.

More information about the cryptography mailing list