On 12/14/10 11:32 AM, John Levine wrote:
> v6 white-listing takes renumbering to a horrific place and might
> work only during an initial transition where the number of v6 only
> sources are few. Over a period of a few years, these numbers are
> likely to explode into millions.
Why? The estimates I seen say that there are about 100,000
legitimate mail emitters. I do agree that there is not an obvious
way to use the DNS to find 100,000 addresses within the v6 address
space without blowing away DNS caches.
Our estimates are considerably higher, where smaller entities are
considered legitimate sources. These sources do not need rDNS entries,
but exchange valid messages from consistently identifiable sources, and
not necessarily just exchanges with large ESPs. A more liberal criteria
increases the overall legitimate sources significantly.
This should not be a surprise, since nearly every Unix includes MTA
services that can be applied in SOHO environments having static
addresses. v6 makes obtaining a static address easy.
The dnswl.org subscription service claims services for 50,000
organizations, but then only lists 100,000 valid sources. The Spamhaus
whitelist is another fee based service that excludes non-DKIM and
non-transactional sources. Neither appear to have the goal of including
_all_ possible sources of legitimate email, where overall numbers are
much much higher. Email vetting should not be limited to just bulk
senders. :^(
> Why not offer v6 to v4 tunneling where there is truly zero
> tolerance for unsolicited commercial email?
I still don't see any practical reason to exchange mail over v6.
Even assuming all the consumer ISPs move their customers to v6,
those customers will be talking to MTAs or web mail over v6, which
can then use v4 to talk to other MTAs. Given the small number of
legit mail sources, I find it hard to believe that the cost of
finding some v4 address space would be an insurmountable problem for
anyone whose mail I wanted to receive.
In your view, v6 must tunnel to v4 to exchange email. This suggests a
need for translation services to deal with those not prepared for v6. :^)
How would one vet email sources over v6 from other geographic regions?
After all, malefactors can originate from virtually infinite numbers of
v6 addresses. Why should providers refuse legitimate sources of email
that authenticate their domain? Why should one expect v6 DNSRBL to be
practical?
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg