Re: [Asrg] DNSBL and IPv6

On 25/10/2012 15:37, Emanuele Balla (aka Skull) wrote:

For point 1, there will be a limit to this change rate, at least when we
speak about bots, and it's even been cited here already: a single
machine can't use too many addresses without saturating its router
neighbor table.
Which is a valid esteem for the number of different IPs the
IPv6-address-change-mechanism will be able to use effectively, then?
Truth is we don't know for sure...

Hmm - I've heard talk about this problem of saturating the routerneighbour table. To be honest, I'm not entirely sure what a 'neighbourtable' is... But, why would people have a /64 block if the router can'tcope with it?

I know this isn't an ideal solution either (one weakness is that it
>allows you to DDoS an MTA by sending large numbers of messages with
>an invalid signature), but perhaps it's better than trying to make
>IP-blacklists work over IPv6? Or perhaps someone can come with a
>better X now that MTAs can still afford to tell IPv6-senders "do X or
>retry over IPv4".

Could be. We just need to find out a good X then

Rather than using DKIM, why not use client certificates keyed off thesender domain. That way you don't need to get the message content.

It would require TLS for all IPv6 MTA-MTA connections, but given that'old' servers won't support IPv6, and new ones 'should' support TLS,that shouldn't be an insurmountable problem. It would also mean that asending MTA couldn't send to the same target MTA using the sameconnection for different sender domains. This wouldn't be a problem forsmall->moderate sized MTAs.

I suppose it's only the big MTAs (google et al) who would suffer a bitbecause of something like this, but then, if it cut down on the spam,they'd probably gain more than they lost.

The problem is that certificates on their own (like DKIM) won'tnecessarily reduce spam, just spoofing. So, there'd need to be some wayof linking reputation to domain, but that would be the same with DKIM.





-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [Asrg] DNSBL and IPv6, (continued) Re: [Asrg] DNSBL and IPv6, John Levine Re: [Asrg] DNSBL and IPv6, Peter J. Holzer Re: [Asrg] DNSBL and IPv6, John Levine Re: [Asrg] DNSBL and IPv6, Hal Murray Re: [Asrg] DNSBL and IPv6, John Levine Re: [Asrg] DNSBL and IPv6, Steve Atkins Re: [Asrg] DNSBL and IPv6, Paul Smith Re: [Asrg] DNSBL and IPv6, Martijn Grooten Re: [Asrg] DNSBL and IPv6, Matthias Leisi Re: [Asrg] DNSBL and IPv6, Emanuele Balla (aka Skull) Re: [Asrg] DNSBL and IPv6, Paul Smith <= Re: [Asrg] DNSBL and IPv6, Emanuele Balla (aka Skull) Re: [Asrg] DNSBL and IPv6, Paul Smith Re: [Asrg] DNSBL and IPv6, Scott Howard Re: [Asrg] DNSBL and IPv6, Mikael Abrahamsson Re: [Asrg] DNSBL and IPv6, Matthias Leisi Re: [Asrg] DNSBL and IPv6, Paul Smith Re: [Asrg] DNSBL and IPv6, Paul Smith Re: [Asrg] DNSBL and IPv6, John Levine Re: [Asrg] DNSBL and IPv6, Rob McEwen Re: [Asrg] DNSBL and IPv6, Emanuele Balla (aka Skull)