IPv6 black lists?

Jeroen Massar jeroen at unfix.org
Wed Mar 10 22:23:15 CET 2010


Brian E Carpenter wrote:
[..]
> Would you want to block 2001:4860:b006::/64 for example,
> just because you saw malware from 2001:4860:b006::68 ?

Absolutely, as the 'block' will only be for SMTP, not for the webhosting
that Google does there, which is what most people see. Outbound SMTP is
also not affected, only inbound. Also note that Google has about 10
different prefixes (/32s and /48s) that might be used for outbound SMTP
(or any other service) thus it won't be so strange if they have their
SMTP boxes spread around and if you accidentally block one prefix you
won't block others.

Also note that those guys & gals (hi, Heather ;) are really good at
cleaning up their networks, generally even pro-active.

And that last point is what it is about: if you get listed as a /128,
well, fine, but if your /64 or even /48 gets listed then you have too
much badness.

There is then of course also always the point of "Golden Networks" where
one will explicitly white list certain prefixes.

As I stated before: Blacklists should primarily used for scoring, not
for outright blocking; unless of course the list is made for that, most
are not.

Like every tool on this planet: one can use it correctly or use it
incorrectly, the latter though primarily affects ones own network, thus
does it matter to the rest of the world?

Greets,
 Jeroen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20100310/99c4812d/attachment.sig>


More information about the ipv6-ops mailing list