On 8/26/09 8:48 PM, Chris Lewis wrote:
Steve Atkins wrote:
I see this asserted a lot, but I don't really see much in the way of
plausible arguments to back it up.
If anything, some blacklist techniques are likely to be easier and
more effective on IPv6 than v4 for the obvious NAT / dynamic
assignment reasons.
Frankly, I don't think anything that earth shattering will occur, even
if ipv6 takes over completely.
Undoubtably some techniques will work better, some about the same, and
some won't work worth squat - they'll either evolve to work better, fade
into meaninglessness, or just outright die.
It's not as if it hasn't happened before. See much use of open relay
DNSBLs anymore? Thought not.
Treating /64 (the network of an IPv6 addresses) as having the same
reputation is destine for support issues when exceptions are needed for
various legitimate services.
When establishing an IPv6 block list, once exceptions are made,
retaining evidence for each of these exceptions removes any semblance of
there being an upper limit on the number of IP addresses logged. After
all, bad actors will start wearing large snowshoes in exception ranges.
For IPv6 addresses to become first-class citizens of the email
community, listing those that should be accepted rather those blocked
represents perhaps the only scalable solution while using similar tools.
Using DKIM messages to request inclusion of a new domain can also
assist in validating the servers.
Alternative solutions such as accessing a link returned to the domain
might be used as well. Nevertheless, DKIM should help reduce the
validation steps needed, and could help prioritize and expedite
inclusions requests. Knowing the domain rather than just an IP address
also allows more extensive correlations with prior abuses.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg