On 3/29/13 12:58 PM, "John Levine" <johnl(_at_)taugh(_dot_)com> wrote:
As a result, it is questionable whether any IPv6 address-based
reputation system can be successful (at least those based on voluntary
principles.)
It can probably work for whitelisting well behaved senders, give or take
the DNS cache busting issues of IPv6 per-message lookups.
Since a bad guy can easily hop to a new IP for every message (offering
interesting new frontiers in listwashing) I agree that it's a losing
battle for blacklisting, other than blocking large ranges of hostile
networks.
Agree. The IP blacklisting that worked well for IPv4 is completely
unsuited for IPv6 (I'd go as far as to say it is a complete failure, no
matter if you look at different size prefixes or not).
The only model that I personally can see working at the moment for IPv6 is
a mix of domain-based reputation and whitelisting. I like domain-based
better since it is managed by sending domains on a distributed basis.
Mail acceptance for IPv4 worked inclusively - receivers accept unless IP
reputation or other factors failed. IMHO with IPv6 that model may need to
be turned around to an exclusive one - so receivers will not accept mail
unless certain factors are met (like domain-based authentication or the
IPv6 address is on a whitelist). I'd expect MAAWG will continue to be a
good place for mail ops folks to work through this stuff.
- Jason