ietf-asrg
[Top] [All Lists]

Re: [Asrg] please review draft-irtf-asrg-bcp-blacklists-07

2011-01-18 19:05:40

On Jan 18, 2011, at 4:53 PM, Daniel Feenberg wrote:



On Tue, 18 Jan 2011, Douglas Otis wrote:

On 1/18/11 2:43 PM, Daniel Feenberg wrote:
IPv6 is mentioned only once, in Section 3.5, and not in a way that suggests 
DNSBLs for IPv6 are appropriate or practical. The document covers 
whitelists as well as blacklists, and it is not unreasonable to suppose 
that a whitelist could exist for IPv6 mail hosts. While I might prefer a 
vigourous denunciation of IPv6 blacklists, there isn't anything really 
objectionable in the draft on this topic.
Daniel,

It is not the number of times that IPv6 has been mentioned in the draft.  It 
is the number of times an example proves wholly unreasonable when related to 
an IPv6 service.

In the rather critical matter, "2.2.1.  Listings SHOULD Be Temporary", this 
makes a questionable assumption that listing/de-listing churn will not 
become damaging whenever expiration is used.   Whether one is talking about 
v6 prefixes, or interface addresses, bad actors have access to virtually an 
endless supply of prefixes and interface addresses.  This means an address 
may never repeat over a bad actor's life.

I am confused about why 2.2.1 is critical. Whether listings are temporary or 
permanent, an IPv6 DNSBL is totally impractical and probably worthless. I 
believe we agree there.  

You both seem to assume that an IPv6 based blacklist would only list /128s. If 
you start from that assumption, you're reaching the right conclusion.

There are lots of things that can't be successfully distributed over DNS, 
this is only one of them. I might favor singling it out on the grounds that 
there are a few people who want to try it, but I wonder why it is so 
necessary to do so, since circumstances will defeat them soon enough.

Is there a special reason an IPv6 DNSBL which listed spam sources would 
interfere with legitimate traffic? Wouldn't it just get very large without 
actually ever blocking much traffic, legitimate or spam?

No. DNS isn't a good way of  distributing blacklist data, for v4 or v6, but 
it's not entirely broken. 

As an example, an IPv6 blacklist that was distributed via DNS and typically 
listed in units of /48 would block quite a lot of traffic[1] - whether that 
would be primarily spam or primarily legitimate would depend on listing policy.

The blacklist zone itself wouldn't necessarily be any bigger than an equivalent 
v4 zone. Where you might see some bloat would be in caching resolvers, and 
you'd only see it there if a significant fraction of sources of email changed 
their IPv6 address often (where "often" means "several times during the 
blacklist TTL").

Cheers,
  Steve

[1] Assuming there'll be a lot of IPv6 SMTP traffic.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>