IPv6 black lists?
marks at bit.nl
Wed Mar 10 09:32:40 CET 2010
On Wed, 2010-03-10 at 09:25 +0100, Mohacsi Janos wrote:
> On Wed, 10 Mar 2010, Brian E Carpenter wrote:
> > But is dnsbl a technique that should be encouraged for IPv6?
> > It's already a blunt weapon for IPv4. As the virbl site notes,
> > for IPv6 the only practical atom is a /64 and that is a *very*
> > blunt weapon indeed. Its potential for false positives is
> > extremely high.
> I think dnsbl can be used for IPv6 - no difference in semantics from IPv4.
> The dnsbl filtering on /64 is very dangerous for making blackholes for
> ligitimate SMTP server. Consider e.g. malware infected desktop PC. Do you
> filter e.g. /24 for a IPv4? Same gradual approach should be taken. If more
> than predefined limit (defined clearly by dnsbl operator) reached then
> /128 filtering to /64 might be injected. Users of the particular dnsbl can
> decide whether the defined approach is acceptable for them.....
No, you don't filter a /24 because a /24 can still be 256 different
customers. With IPv6, a /64 is a site-network. So the chance that many
customers reside in this /64 isn't that big. Router-advertisements only
work in a /64, so you would be really dumb if you start chopping
up /64's to different customers.
Obviously, this is not a 100% solution; we have shared colocation
networks that share a /64 so in that case we would have an issue. But
the other solution, listing on a /128 is useless and you might just end
up in listing 18446744073709551616 ip's per end-user...
Mark Schouten, Unix/NOC-engineer
BIT BV | info at bit.nl | +31 318 648688 | KvK: 09090351
MS8714-RIPE | B1FD 8E60 A184 F89A 450D A128 049B 1B19 9AD6 17FF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100310/25ff1843/attachment.bin
More information about the ipv6-ops