[156369] in North American Network Operators' Group
Re: IPv6 Ignorance
daemon@ATHENA.MIT.EDU (Timothy Morizot)
Sun Sep 16 20:26:56 2012
In-Reply-To: <alpine.BSF.2.00.1209161954180.43729@joyce.lan>
Date: Sun, 16 Sep 2012 19:26:22 -0500
From: Timothy Morizot <tmorizot@gmail.com>
To: "John R. Levine" <johnl@iecc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sep 16, 2012 6:58 PM, "John R. Levine" <johnl@iecc.com> wrote:
>>>
>>> IPv6 has its problems, but running out of addresses is not one of them.
>>> For those of us worried about abuse management, the problem is the
>>> opposite, even the current tiny sliver of addresses is so huge that
>>> techniques from IPv4 to map who's doing what where don't scale.
>>
>>
>> Well, in IPv4... NAT broke it, because networks implementing 1:many
>> NAT could no longer easily identify what host was responsible for abuse.
>
>
> I realize that's a problem in theory, in practice it's not because it's
still rare to have interestingly different hosts behind a single NAT.
>
>
>> What do you mean by suggesting IPv4 abuse management techniques to map
whose doing what, where do not scale to IPv6's larger address space?
>
>
> Large networks keep separate reputation for every address in the IPv4
address space based on the traffic they send. You can't do that in IPv6,
particularly since hostile bots can easily hop around within a /64, which
is bad news if that /64 also has some legit hosts.
Of course, as soon as CGN (or LSN or NAT444) is added to IPv4 the same
problem exists in practice as well as theory. So old practices will have to
be improved and replaced regardless.
