On Jan 18, 2011, at 4:53 PM, Daniel Feenberg wrote:
On Tue, 18 Jan 2011, Douglas Otis wrote:
On 1/18/11 2:43 PM, Daniel Feenberg wrote:
IPv6 is mentioned only once, in Section 3.5, and not in a way that suggests
DNSBLs for IPv6 are appropriate or practical. The document covers
whitelists as well as blacklists, and it is not unreasonable to suppose
that a whitelist could exist for IPv6 mail hosts. While I might prefer a
vigourous denunciation of IPv6 blacklists, there isn't anything really
objectionable in the draft on this topic.
Daniel,
It is not the number of times that IPv6 has been mentioned in the draft. It
is the number of times an example proves wholly unreasonable when related to
an IPv6 service.
In the rather critical matter, "2.2.1. Listings SHOULD Be Temporary", this
makes a questionable assumption that listing/de-listing churn will not
become damaging whenever expiration is used. Whether one is talking about
v6 prefixes, or interface addresses, bad actors have access to virtually an
endless supply of prefixes and interface addresses. This means an address
may never repeat over a bad actor's life.
I am confused about why 2.2.1 is critical. Whether listings are temporary or
permanent, an IPv6 DNSBL is totally impractical and probably worthless. I
believe we agree there.
You both seem to assume that an IPv6 based blacklist would only list /128s. If
you start from that assumption, you're reaching the right conclusion.
There are lots of things that can't be successfully distributed over DNS,
this is only one of them. I might favor singling it out on the grounds that
there are a few people who want to try it, but I wonder why it is so
necessary to do so, since circumstances will defeat them soon enough.
Is there a special reason an IPv6 DNSBL which listed spam sources would
interfere with legitimate traffic? Wouldn't it just get very large without
actually ever blocking much traffic, legitimate or spam?
No. DNS isn't a good way of distributing blacklist data, for v4 or v6, but
it's not entirely broken.
As an example, an IPv6 blacklist that was distributed via DNS and typically
listed in units of /48 would block quite a lot of traffic[1] - whether that
would be primarily spam or primarily legitimate would depend on listing policy.
The blacklist zone itself wouldn't necessarily be any bigger than an equivalent
v4 zone. Where you might see some bloat would be in caching resolvers, and
you'd only see it there if a significant fraction of sources of email changed
their IPv6 address often (where "often" means "several times during the
blacklist TTL").
Cheers,
Steve
[1] Assuming there'll be a lot of IPv6 SMTP traffic.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg