IPv6 black lists?

[Mohacsi Janos]

On Wed, 10 Mar 2010, Mark Schouten wrote:

> On Wed, 2010-03-10 at 09:25 +0100, Mohacsi Janos wrote:
>>
>>
>> On Wed, 10 Mar 2010, Brian E Carpenter wrote:
>>
>>> But is dnsbl a technique that should be encouraged for IPv6?
>>>
>>> It's already a blunt weapon for IPv4. As the virbl site notes,
>>> for IPv6 the only practical atom is a /64 and that is a *very*
>>> blunt weapon indeed. Its potential for false positives is
>>> extremely high.
>>
>>
>> I think dnsbl can be used for IPv6 - no difference in semantics from IPv4.
>> The dnsbl filtering on /64 is very dangerous for making blackholes for
>> ligitimate SMTP server. Consider e.g. malware infected desktop PC. Do you
>> filter e.g. /24 for a IPv4? Same gradual approach should be taken. If more
>> than predefined limit (defined clearly by dnsbl operator) reached then
>> /128 filtering to /64 might be injected. Users of the particular dnsbl can
>> decide whether the defined approach is acceptable for them.....
>
> No, you don't filter a /24 because a /24 can still be 256 different
> customers. With IPv6, a /64 is a site-network.

I think between 64 and 1. The common allocation is /30 or shorter for 
customers.

> So the chance that many
> customers reside in this /64 isn't that big. Router-advertisements only
> work in a /64, so you would be really dumb if you start chopping
> up /64's to different customers.

In our case we are providing two types of hosting:

1. shared /64  - seperate (virtual) machines with some l2 protection
2. separate /64


> Obviously, this is not a 100% solution; we have shared colocation
> networks that share a /64 so in that case we would have an issue. But
> the other solution, listing on a /128 is useless and you might just end
> up in listing 18446744073709551616 ip's per end-user...

I think no, since the dnsbl operator should operate some limits where 
installs /64 as described in my e-mail.

Best Regards,
 		Janos Mohacsi