IPv6 black lists?

[Mark Schouten]

On Wed, 2010-03-10 at 09:25 +0100, Mohacsi Janos wrote:
> 
> 
> On Wed, 10 Mar 2010, Brian E Carpenter wrote:
> 
> > But is dnsbl a technique that should be encouraged for IPv6?
> >
> > It's already a blunt weapon for IPv4. As the virbl site notes,
> > for IPv6 the only practical atom is a /64 and that is a *very*
> > blunt weapon indeed. Its potential for false positives is
> > extremely high.
> 
> 
> I think dnsbl can be used for IPv6 - no difference in semantics from IPv4. 
> The dnsbl filtering on /64 is very dangerous for making blackholes for 
> ligitimate SMTP server. Consider e.g. malware infected desktop PC. Do you 
> filter e.g. /24 for a IPv4? Same gradual approach should be taken. If more 
> than predefined limit (defined clearly by dnsbl operator) reached then 
> /128 filtering to /64 might be injected. Users of the particular dnsbl can 
> decide whether the defined approach is acceptable for them.....

No, you don't filter a /24 because a /24 can still be 256 different
customers. With IPv6, a /64 is a site-network. So the chance that many
customers reside in this /64 isn't that big. Router-advertisements only
work in a /64, so you would be really dumb if you start chopping
up /64's to different customers.
Obviously, this is not a 100% solution; we have shared colocation
networks that share a /64 so in that case we would have an issue. But
the other solution, listing on a /128 is useless and you might just end
up in listing 18446744073709551616 ip's per end-user...

-- 
Mark Schouten, Unix/NOC-engineer
BIT BV      | info at bit.nl | +31 318 648688 | KvK: 09090351
MS8714-RIPE | B1FD 8E60 A184 F89A 450D  A128 049B 1B19 9AD6 17FF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100310/25ff1843/attachment.sig>