On 12/9/10 9:00 PM, John Levine wrote:
If we can't fit stuff into the existing non-DNSSEC DNS, the next
question is to compare the benefits of inventing and implementing a
special-purpose hack, rather than adjusting our servers and clients
to take advantage of existing DNSSEC facilities.
IPv6 represents an incomprehensibly large space. Just the global and
subnet portion of v6 assigned to an individual ISP might span the entire
v4 space. The lower 64 bits, the v6 interface, is not likely assigned
linearly, so CIDRs within v6 interfaces will be of little value. The
size of the v6 interface represents the v4 space times the v4 space, or
v4^2 for 1.8 x 10^19 possible hosts on 7.2 x 10^16 networks. Divided
evenly, this could allow every person on the planet to control 14
million networks, so why be frugal?
There will be any number of tunnels joining v6 elements. Traversing
reverse DNS as a service is not practical for v6 interface space. It is
also rather dubious to suggest services that source the entire v6 abuse
space. 15kRPM SAS drives are able to hold ~600GB of data with an
average 2MS latency. At only one bit per address, this maps only 4.8 x
10^12 elements. To linearly map just the global and subnet v6 space,
which is smaller than just one v6 interface, 15,000 of these drives
would be needed.
It is ridiculous to suggest RBLs would be able to map out even one v6
interface. By excluding the v6 interface space, granularity becomes
much less of a concern. This suggests every MTA should have their own
network, since they will likely suffer the fate of the entire v6
interface, with possible exceptions granted by white-lists.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg