On 1/18/11 2:43 PM, Daniel Feenberg wrote:
IPv6 is mentioned only once, in Section 3.5, and not in a way that
suggests DNSBLs for IPv6 are appropriate or practical. The document
covers whitelists as well as blacklists, and it is not unreasonable to
suppose that a whitelist could exist for IPv6 mail hosts. While I
might prefer a vigourous denunciation of IPv6 blacklists, there isn't
anything really objectionable in the draft on this topic.
Daniel,
It is not the number of times that IPv6 has been mentioned in the
draft. It is the number of times an example proves wholly unreasonable
when related to an IPv6 service.
In the rather critical matter, "2.2.1. Listings SHOULD Be Temporary",
this makes a questionable assumption that listing/de-listing churn will
not become damaging whenever expiration is used. Whether one is
talking about v6 prefixes, or interface addresses, bad actors have
access to virtually an endless supply of prefixes and interface
addresses. This means an address may never repeat over a bad actor's life.
Even the expectation that white-listing should be fine for v6 fails to
consider cases where undefined translations may occur using shared
resources. Efforts aimed at codifying use of DNSxBLs would normally be
commendable. At this time, during the transition to IPv6, this draft
only distracts from practical and well considered methods necessary to
properly defend services operating within the v6 address space.
Implications that DNSxL offers a reasonable service for use with v6 is
instead counter productive and satisfies no immediate need. Especially
when attempts to use DNSxBL's for IPv6 address reputations are likely to
prove damaging and problematic.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg