ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] A slightly revised entirely incompatible approach for IPv6 DNSBLs

2010-12-20 17:10:12
from [Douglas Otis] [Permanent Link] 
On 12/19/10 3:37 PM, John Levine wrote:

On 12/19/10 1:04 PM, Matthias Leisi wrote:

This may be less severe in practice, since a mailserver will have some
rate limiting (limited by bandwidth, CPU, I/O etc).
As with reputation, v6 rate limiting will not be effective. Both rate limiting and reputations will need authenticated server identities instead. IMHO, DKIM is too late in the exchange, where the signer may not have confirmed the intended destination, thus may avoid accountability for undesired messages. 
If you're running a DNSBL or DNSWL, you have to be prepared for all of
the mail servers in the world to query your DNS servers.  I don't
think it's a good idea to design something on the assumption that
spammers will be cooperative.
Without effective caching, it will be difficult to sustain the typical levels of abuse. 
The DNS has the large practical advantage of existing, of being known
to work, and having firewalls and stuff already configured to allow it
through.  To the best of my knowledge, hypothetical alternatives are,
well, hypothetical.
Providing Safe Browsing services is currently proven and available, gets past firewalls, and would work equally well for either v6 or v4. 
I've been giving this further thought and I think I have some reasonable
update strategies.  Basically, do what B-Trees do to update, and install
temporary CNAMES when the node names change to limit client breakage.
Avoiding unwanted data in a cache requires cooperation. Even if queries zero the lower 64 bits of the address, the typical v6 offering is for /32s. When a malefactor obtains such a prefix, they could then flood a service with 4 billion different prefixes where each contains 4 billion times 4 billion interfaces.
In addition, v6 addresses might traverse tunnels and gateways of various sorts. Those supporting email will have a difficult time dealing with the flood of v6 addresses within a complex landscape, compared to dealing with domain names. 

-Doug



_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Implementing IPv6 DNSBLs, Alessandro Vesely
Next by Date:  [Asrg] Efficent IP range publishing, John R. Levine
Previous by Thread:  Re: [Asrg] A slightly revised entirely incompatible approach for IPv6 DNSBLs, John Levine
Next by Thread:  [Asrg] Efficent IP range publishing, John R. Levine
Indexes:  [Date] [Thread] [Top] [All Lists]