On Apr 8, 2013, at 10:27 PM, joel jaeggli <joelja(_at_)bogus(_dot_)com> wrote:
On 4/8/13 9:18 PM, Douglas Otis wrote:
On Mar 31, 2013, at 1:23 AM, Doug Barton <dougb(_at_)dougbarton(_dot_)us
<mailto:dougb(_at_)dougbarton(_dot_)us>> wrote:
On 03/30/2013 11:26 PM, Christian Huitema wrote:
IPv6 makes publishing IP address reputations impractical. Since IP
address reputation has been a primary method for identifying abusive
sources with IPv4, imposing ineffective and flaky > replacement
strategies has an effect of deterring IPv6 use.
In practice, the /64 prefix of the IPv6 address has very much the same
"administrative" properties as the /32 value of the IPv4 address. It
should be fairly straightforward to update a reputation system to manage
the /64 prefixes of IPv6. This seems somewhat more practical than trying
to change the behavior of mail agent if their connectivity happens to use
IPv6.
That only works insofar as the provider does not follow the standard
recommendation to issue a /48. If they do, the abuser has 65k /64s to
operate in.
What's needed is a little more intelligence about how the networks which
the IPv6 addresses are located are structured. Similar to the way that
reputation lists nowadays will black list a whole /24 if 1 or a few
addresses within it send spam.
The problems are not insoluble, they're just different, and arguably more
complex in v6. It's also likely that in the end more work on reputation
lists will provide less benefit than it did in the v4 world. But that's the
world we live in now.
Dear Doug,
Why aggregate into groups of 64k prefixes? After all, this still does not
offer a practical way to ascertain a granularity that isolates different
entities at /64 or /48. It is not possible to ascertain these boundaries
even at a single prefix. There is 37k BGP entries offering IPv6
connectivity. Why not hold each announcement accountable and make
consolidated reputation a problem ISPs must handle? Of course, such an
approach would carry an inordinate level of support and litigation costs due
to inadvertent collateral blocking. Such consolidation would be as
impractical as would an arbitrary consolidation at /48.
Plently of people use IP to ASN mappings as part of their input for
reputation today.
Dear Joel,
Unfortunately, ISPs are bad at responding to email abuse complaints. There are
exceptions where reputation needs to be escalated to the ASN, as was the case
in Brazil which then involved litigation. You're welcome, but operations at
that level will not scale and might lead to balkanization.
With respect to IPv6 granularity, there is only ~7k ASNs. As IPv6 adoption
increases, this should approach 37k. In addition, there are more /32 prefixes
than /48. Each /32 represents a span greater than the entire IPv4 Internet.
The network covered by each prefix represents an address span IPv4 squared in
size. The sparse nature of abuse and the size of IPv6 prefix space makes
collecting evidence and distributing detected abuse by IP address or prefix
both expensive and slow, where any IP address query mechanism is likely to
result in self inflicted DDoS.
If email offered authentication of the sourcing domain or that of a domain
certificate, then reputation could be fairly applied and easily distributed.
This ability is essential for IPv6.
Regards,
Douglas Otis