IPv6 black lists?
John Payne
john at sackheads.org
Tue Mar 9 22:01:23 CET 2010
On Mar 9, 2010, at 3:57 PM, Brian E Carpenter wrote:
> On 2010-03-10 09:52, John Payne wrote:
>> On Mar 9, 2010, at 3:47 PM, Brian E Carpenter wrote:
>>
>>> But is dnsbl a technique that should be encouraged for IPv6?
>>>
>>> It's already a blunt weapon for IPv4. As the virbl site notes,
>>> for IPv6 the only practical atom is a /64 and that is a *very*
>>> blunt weapon indeed. Its potential for false positives is
>>> extremely high.
>>
>> I think that depends on the policies of the dnsbl maintainer and the dnsbl consumer.
>>
>> I personally wouldn't want to trust anything that shared a layer2 network with a virus laden machine even if it wasn't the same machine... so blocking at /64 is fine by me. Others may disagree.
>
> That makes sense in a small office or home network context. In a large
> institutional network it's much less clear.
See my first point ;)
>
>> In the specific case of dnsbl's I do see /64 as an advantage - the false positives will be much lower than trying to block "same subnet" in IPv4.
>
> In the sense that a /64 is by definition a subnet, that's true.
>
> Brian
>>
>>
>>
>>> Brian
>>>
>>>
>>> On 2010-03-10 02:46, Emanuele Balla wrote:
>>>> On 3/9/10 2:41 PM, Shane Kerr wrote:
>>>>> Hello,
>>>>>
>>>>> Does anybody know if there are IPv6 DNSBL available?
>>>>>
>>>>> Thanks,
>>>> http://virbl.bit.nl/index.php#ipv6
>>>>
>>>> Mainly proofs of concept, since rbldnsd does not support ipv6 datasets yet.
>>>>
>>
>>
>
More information about the ipv6-ops
mailing list