IPv6 black lists?
Brian E Carpenter
brian.e.carpenter at gmail.com
Tue Mar 9 21:57:57 CET 2010
On 2010-03-10 09:52, John Payne wrote:
> On Mar 9, 2010, at 3:47 PM, Brian E Carpenter wrote:
>
>> But is dnsbl a technique that should be encouraged for IPv6?
>>
>> It's already a blunt weapon for IPv4. As the virbl site notes,
>> for IPv6 the only practical atom is a /64 and that is a *very*
>> blunt weapon indeed. Its potential for false positives is
>> extremely high.
>
> I think that depends on the policies of the dnsbl maintainer and the dnsbl consumer.
>
> I personally wouldn't want to trust anything that shared a layer2 network with a virus laden machine even if it wasn't the same machine... so blocking at /64 is fine by me. Others may disagree.
That makes sense in a small office or home network context. In a large
institutional network it's much less clear.
> In the specific case of dnsbl's I do see /64 as an advantage - the false positives will be much lower than trying to block "same subnet" in IPv4.
In the sense that a /64 is by definition a subnet, that's true.
Brian
>
>
>
>> Brian
>>
>>
>> On 2010-03-10 02:46, Emanuele Balla wrote:
>>> On 3/9/10 2:41 PM, Shane Kerr wrote:
>>>> Hello,
>>>>
>>>> Does anybody know if there are IPv6 DNSBL available?
>>>>
>>>> Thanks,
>>> http://virbl.bit.nl/index.php#ipv6
>>>
>>> Mainly proofs of concept, since rbldnsd does not support ipv6 datasets yet.
>>>
>
>
More information about the ipv6-ops
mailing list