[Cryptography] IPv6 and IPSEC

Bill Stewart bill.stewart at pobox.com
Tue Sep 3 21:09:15 EDT 2013

At 01:53 PM 8/29/2013, Taral wrote:
>Oh, wait. I misread the requirement. This is a pretty normal
>requirement -- your reverse DNS has to be valid. So if you are
>3ffe::2, and that reverses to abc.example.com, then abc.example.com
>better resolve to 3ffe::2.

For IPv4, that's a relatively normal way to do things,
though if example.com is commercial,
smtp.example.com might actually be a load-balanced bunch of servers 
in xx.yy.zz.0/24
instead of just one machine, or they might be hidden behind NAT.

But with IPv6 privacy extensions, a single machine might be using
pseudorandomly-generated addresses in a /64 subnet,
so you'd have to do some kind of wildcarding to represent it as a single name.
Also, "residential" vs. "commercial" is a much fuzzier boundary for IPv6;
an IPv6 machine might be a VM tunnelling to Hurricane Electric over IPv4,
or tunnelled from a residence to a DSL ISP that can only do telco DSL at IPv4.

More information about the cryptography mailing list