IPv6 black lists?

Brian E Carpenter brian.e.carpenter at gmail.com
Wed Mar 10 22:14:52 CET 2010 

On 2010-03-10 21:41, Mohacsi Janos wrote:
> 
> 
> 
> On Wed, 10 Mar 2010, Mark Schouten wrote:
> 
>> On Wed, 2010-03-10 at 09:25 +0100, Mohacsi Janos wrote:
>>>
>>>
>>> On Wed, 10 Mar 2010, Brian E Carpenter wrote:
>>>
>>>> But is dnsbl a technique that should be encouraged for IPv6?
>>>>
>>>> It's already a blunt weapon for IPv4. As the virbl site notes,
>>>> for IPv6 the only practical atom is a /64 and that is a *very*
>>>> blunt weapon indeed. Its potential for false positives is
>>>> extremely high.
>>>
>>>
>>> I think dnsbl can be used for IPv6 - no difference in semantics from
>>> IPv4.
>>> The dnsbl filtering on /64 is very dangerous for making blackholes for
>>> ligitimate SMTP server. Consider e.g. malware infected desktop PC. Do
>>> you
>>> filter e.g. /24 for a IPv4? Same gradual approach should be taken. If
>>> more
>>> than predefined limit (defined clearly by dnsbl operator) reached then
>>> /128 filtering to /64 might be injected. Users of the particular
>>> dnsbl can
>>> decide whether the defined approach is acceptable for them.....
>>
>> No, you don't filter a /24 because a /24 can still be 256 different
>> customers. With IPv6, a /64 is a site-network.
> 
> I think between 64 and 1. The common allocation is /30 or shorter for
> customers.
> 
>> So the chance that many
>> customers reside in this /64 isn't that big. Router-advertisements only
>> work in a /64, so you would be really dumb if you start chopping
>> up /64's to different customers.
> 
> In our case we are providing two types of hosting:
> 
> 1. shared /64  - seperate (virtual) machines with some l2 protection
> 2. separate /64
> 
> 
>> Obviously, this is not a 100% solution; we have shared colocation
>> networks that share a /64 so in that case we would have an issue. But
>> the other solution, listing on a /128 is useless and you might just end
>> up in listing 18446744073709551616 ip's per end-user...
> 
> I think no, since the dnsbl operator should operate some limits where
> installs /64 as described in my e-mail.

Yes. An ADSL subcriber with a single /64 might have any number of
hosts - 3 or 4 for a domestic customer, hundreds for a business
customer unwilling to pay extra for a /56 or /48. In the first
case it's absolutely reasonable to assume that one infected PC means
that all the hosts are infected. In the second case that is very
unreasonable, and there's a strong risk of blocking quite legitimate
servers.

Would you want to block 2001:4860:b006::/64 for example,
just because you saw malware from 2001:4860:b006::68 ?

   Brian

More information about the ipv6-ops mailing list