ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] What are the IPs that sends mail for a domain?

2009-06-17 21:05:31
from [der Mouse] [Permanent Link] 
Factors that make managing an IPv6 block-listing service fairly
impractical go beyond 96 additional address bits.



1) Publishing behavior based address lists require evidence
collection in the event of disputes, and this does not scale well.
(expensive)


I can't see why v6 versus v4 makes any difference at all to this.


2) IPv6 to IPv4 and IPv6 to IPv6 NATs obfuscates who might be
involved.  (problematic)


I can't see why this is any worse than the v4-to-v4 NATs the net is
already full of.


3) Reverse DNS scanning does not scale well. (slow)


True.  DNSBLs that depend on rDNS scanning may die.  There are plenty
of DNSBLs, including some of the most useful, that do not.


4) Diverse and rapidly expanding address space allows bad-actor's
activity to stay ahead of the massive amounts of IP address related
information publishing.  (futile)


I see no real difference here between a v4 list that lists at the /32
level and a v6 list that lists at the /48 (or maybe even /64) level.


5) An extremely low cost for IP addresses allows bad actors to
persist at sporadic use for many years.  (futile)


And this differs from v4...how?


The collection of evidence is often constrained by the related
identifier, such as the IP address.  Unfortunately, IPv6 allows a new
IP address to be used for each message sent.


So, collect evidence at the /64, or even /48, level, rather than at the
individual address level.

Even to the extent that these problems are real, they are theoretical.
It certainly behooves us to think about them ahead of time, but absent
experience demonstrating that they are more than potential, I don't see
them as a reason to give up on v6 DNSBLs without even trying.


Pushing responsibility to the edge does not work, and email provides
ample evidence.


It's not that doing that has been tried and found wanting; rather, it
has not been tried.  (Actually, it has been tried in a limited way;
there are pieces of the net that _do_ push responsibility to the end
user.  Oddly enough, they are basically nonexistent as far as abuse
emitters go; what evidence I see indicates that it _does_ work.)

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse(_at_)rodents-montreal(_dot_)org
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] What are the IPs that sends mail for a domain?, Douglas Otis
Next by Date:  Re: [Asrg] Soundness of silence, Alessandro Vesely
Previous by Thread:  Re: [Asrg] What are the IPs that sends mail for a domain?, Douglas Otis
Next by Thread:  Re: [Asrg] What are the IPs that sends mail for a domain?, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]