On 12/19/10 3:37 PM, John Levine wrote:
On 12/19/10 1:04 PM, Matthias Leisi wrote:
This may be less severe in practice, since a mailserver will have some
rate limiting (limited by bandwidth, CPU, I/O etc).
As with reputation, v6 rate limiting will not be effective. Both rate
limiting and reputations will need authenticated server identities
instead. IMHO, DKIM is too late in the exchange, where the signer may
not have confirmed the intended destination, thus may avoid
accountability for undesired messages.
If you're running a DNSBL or DNSWL, you have to be prepared for all of
the mail servers in the world to query your DNS servers. I don't
think it's a good idea to design something on the assumption that
spammers will be cooperative.
Without effective caching, it will be difficult to sustain the typical
levels of abuse.
The DNS has the large practical advantage of existing, of being known
to work, and having firewalls and stuff already configured to allow it
through. To the best of my knowledge, hypothetical alternatives are,
well, hypothetical.
Providing Safe Browsing services is currently proven and available, gets
past firewalls, and would work equally well for either v6 or v4.
I've been giving this further thought and I think I have some reasonable
update strategies. Basically, do what B-Trees do to update, and install
temporary CNAMES when the node names change to limit client breakage.
Avoiding unwanted data in a cache requires cooperation. Even if queries
zero the lower 64 bits of the address, the typical v6 offering is for
/32s. When a malefactor obtains such a prefix, they could then flood a
service with 4 billion different prefixes where each contains 4 billion
times 4 billion interfaces.
In addition, v6 addresses might traverse tunnels and gateways of various
sorts. Those supporting email will have a difficult time dealing with
the flood of v6 addresses within a complex landscape, compared to
dealing with domain names.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg