IPv6 black lists?

Gert Doering gert at space.net
Thu Mar 11 09:16:21 CET 2010 

Hi,

On Wed, Mar 10, 2010 at 11:11:02PM +0000, Benedikt Stockebrand wrote:
> Hi Gert and list,
> 
> Gert Doering <gert at space.net> writes:
> 
> >> that's still too simple: If you are a hoster, then a single hijacked
> >> machine from a single customer will have all your other customers
> >> quickly blacklisted as well.
> >
> > No, why?  If the customer spams from a single address, that address
> > gets blocked.  If the customer cycles through his /64, that /64 will
> > get blocked.
> 
> that's the point: In doing so you block all other customers in that
> subnet as well.

There are no other customers in the same /64 subnet.

Please repeat.

There are no other customers in the same /64 subnet.

> And keep in mind that with the RFC 3041 privacy extensions enabled by
> default on post-XP Windows boxes, the majority of them *will* cycle
> through the /64 anyway.

This is the point: if they cycle through multiple addresses, block the
subnet.  So don't put other customers in the same subnet.

> > If you put multiple customers in the same /64, and one of them can
> > use addresses out of that /64 at random, your setup is broken, and you
> > deserve all the pain you can get.
> 
> Tell that to people in the low cost end user hosting business.  With
> business customers you are right, because they tend to be willing to
> pay a bit more for reliable service at least to some degree, but end
> users frequently think quite differently.

What's so hard to understand about "... deserve all the pain you can get"?

Companies like Strato that have multiple customers in the same /64
*have filters in place* to make sure that every customer will only 
use the set of addresses assigned to his server, and nothing else.

This model of deployment is more complicated than "just slap a /64 on
it, and every customer can run abuse from whatever address he wants to
pick" - but it's the only way to be able to do any sort of abuse handling,
not only SPAM.

How are you going to trace back hacked machines etc. if you can't reliably
associate a given IPv6 address with a given server?  And if you can't
do that, you shouldn't run an ISP.

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  144438

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279

More information about the ipv6-ops mailing list