Dear Jason,
On Mar 30, 2013, at 7:57 AM, "Livingood, Jason"
<Jason_Livingood(_at_)cable(_dot_)comcast(_dot_)com> wrote:
On 3/29/13 12:58 PM, "John Levine" <johnl(_at_)taugh(_dot_)com> wrote:
As a result, it is questionable whether any IPv6 address-based
reputation system can be successful (at least those based on voluntary
principles.)
It can probably work for whitelisting well behaved senders, give or take
the DNS cache busting issues of IPv6 per-message lookups.
Since a bad guy can easily hop to a new IP for every message (offering
interesting new frontiers in listwashing) I agree that it's a losing
battle for blacklisting, other than blocking large ranges of hostile
networks.
Agree. The IP blacklisting that worked well for IPv4 is completely
unsuited for IPv6 (I'd go as far as to say it is a complete failure, no
matter if you look at different size prefixes or not).
Agreed.
The only model that I personally can see working at the moment for IPv6 is
a mix of domain-based reputation and whitelisting. I like domain-based
better since it is managed by sending domains on a distributed basis.
Current domain based strategies such as SPF offer fragile dependence on return
path parameters that may incur a large number of transactions to resolve
authorizations. Use of DKIM must also consider the signing domain neither
controls actual sources, intended recipients, or message relaying.
Mail acceptance for IPv4 worked inclusively - receivers accept unless IP
reputation or other factors failed. IMHO with IPv6 that model may need to
be turned around to an exclusive one - so receivers will not accept mail
unless certain factors are met (like domain-based authentication or the
IPv6 address is on a whitelist). I'd expect MAAWG will continue to be a
good place for mail ops folks to work through this stuff.
While SPF offered a fix for DSN back-scatter, neither this scheme nor DKIM
provide a suitable basis for domain reputation. Neither authorization nor
signed message content provide any direct evidence of abuse accountability.
Permission for this occurs by leaving the future of email primarily in the
hands of those having conflicts of interest. For example, none of the current
domain based schemes offer a means to hold those paid to send bulk email
accountable. Several would even be happy to see IPv6 email require IPv4
providers to relay IPv6 email.
Here is the link that illustrates the serious problem.
http://www.bungi.com/Dom-v6.pdf
And again, I call on the IETF to work on this problem.
Regards,
Douglas Otis