ietf
[Top] [All Lists]

Re: Sufficient email authentication requirements for IPv6

2013-03-31 03:23:15
On 03/30/2013 11:26 PM, Christian Huitema wrote:
IPv6 makes publishing IP address reputations impractical.  Since IP address 
reputation has been a primary method for identifying abusive sources with IPv4, 
imposing ineffective and flaky > replacement strategies has an effect of 
deterring IPv6 use.

In practice, the /64 prefix of the IPv6 address has very much the same 
"administrative" properties as the /32 value of the IPv4 address. It should be 
fairly straightforward to update a reputation system to manage the /64 prefixes of IPv6. 
This seems somewhat more practical than trying to change the behavior of mail agent if 
their connectivity happens to use IPv6.

That only works insofar as the provider does not follow the standard recommendation to issue a /48. If they do, the abuser has 65k /64s to operate in.

What's needed is a little more intelligence about how the networks which the IPv6 addresses are located are structured. Similar to the way that reputation lists nowadays will black list a whole /24 if 1 or a few addresses within it send spam.

The problems are not insoluble, they're just different, and arguably more complex in v6. It's also likely that in the end more work on reputation lists will provide less benefit than it did in the v4 world. But that's the world we live in now.

Doug