On Jun 17, 2009, at 8:17 AM, Daniel Feenberg wrote:
On Wed, 17 Jun 2009, Steve Atkins wrote:
On Jun 16, 2009, at 4:17 PM, Daniel Feenberg wrote:
Because it would be impossible to maintain a DNSBL for IPV6,
I keep hearing people say this, but I've not seen any clear
justification for it. It seems to me to be no more difficult to run
a blacklist for IPv6 addresses than IPv4 addresses (neither is
easy, but the details of the address representation don't seem to
make more than minor differences).
Can you expand on why you think it's the case, or point me at some
discussion of it?
Of course a spammer could reuse an IPV6 address, and then a DNSBL
could catch subsequent spam from that address. But there isn't any
need to reuse IPV6 addresses - they are nearly infinite in number,
each customer is assigned billions by default and there is no real
need for the spammer to restrict himself to his officially listed
addresses.
Which is why you'd list the /64 or /48 in most cases. That's not
difficult to do, even with bind, and is easy to manage with any decent
database backend.
IPV4 DNSBL work, even though they are "listing badness" because IPV4
address space is finite. That means that "listing badness" isn't
really different from "listing goodness". But if badness is
infinite, then listing bad addresses won't be effective.
I don't think that reasoning really holds water, there. IPv6 space is
also finite. There'd need to be minor operational changes to support
it, and there are a couple of naive approaches currently used in IPv4
that would fail dismally in IPv6 without some changes, but nothing
particularly difficult.
If anything, reduction in use of NATs might make some sorts of
blacklist more accurate and effective in IPv6 space than in IPv4.
Note that my argument that MTAs with only IPV6 won't be established
is not contradicted by the existence of MTAs with IPV6 and IPV4
connectivity. Nor does it really depend on the difficulties with
DNSBLs, although that is an additional obstacle. The major obstacle
is the limited connectivity that an IPV6 only MTA would have.
Cheers,
Steve
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg