ietf-asrg
[Top] [All Lists]

Re: [Asrg] Implementing IPv6 DNSBLs

2010-12-16 17:29:16
On 12/16/10 9:38 AM, Matthias Leisi wrote:
On Thu, Dec 16, 2010 at 5:12 PM, Ian 
Eiloart<iane(_at_)sussex(_dot_)ac(_dot_)uk>  wrote:

Given that we already don't accept IPv6 connections, I think this is an
opportunity to draw a line in the sand. When we do eventually deploy IPv6,
it'll be on much stricter terms than now.
Yes, "default deny, allow from trusted/whitelisted/... sources"
instead of the current "default accept, deny from blacklisted, plus
some white/greylisting".
Agreed, but the white-listing should be by authenticated servers and _not_ their IP address. v6 provides significant advantages when moving services. If done right, there would be little effort in renumbering. Dealing with umpteen address based white-listing services will prove horrific when each service asserts different policies regarding updates and points of contact where timely coordination would be impossible.

Efforts related to the keyassure wg appears headed in the right direction, which might offer a DIY StartTLS solution for SMTP, for example. Reputations could then accrue against certificate holders, rather than addresses. The difference in the scale of acceptance data would likely be in the area of millions to 1 smaller.

-Doug


_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg