Thoughts about ipv6 white listing
George Bonser
gbonser at seven.com
Sat Dec 4 23:26:57 CET 2010
> You don't know if the client has IPv6-connectivity, you just know the
> client initiates AAAA-queries. Their really is a big difference here.
How many such problem children are attempting to connect to me? I believe that number to be close to or equal to zero. The reason is because the clients in this case are well known entities. If it breaks for one, it breaks for tens of thousands of clients on that network and becomes immediately obvious. In other words, all the clients on that network are going to behave in identical fashion. I am not going to optimize for a corner case I am never going to see. The clients either will or will not have v6. If they do not have v6, they will request an A record. If they have v6 they will request an AAAA record. If I were running a web site or something and had people from all sorts of places connecting, then yeah, maybe I would consider white listing.
This does protect against the one expected case where the client believes it has v6 but actually doesn't (it maybe has v6 ULA address but the rest of the network doesn't connect to the Internet via v6).
More information about the ipv6-ops
mailing list