[170220] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (hslabbert@stargate.ca)
Tue Mar 25 01:53:37 2014
Date: Mon, 24 Mar 2014 22:53:13 -0700
From: hslabbert@stargate.ca
To: nanog@nanog.org
In-Reply-To: <17c4fe20bcf74f80b749d234c9c2df6b@BN1PR04MB250.namprd04.prod.outlook.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>I don't want to try to even think about SMTP on IPv6. Reputation of email=
=20
>servers as well as the whole thought process of spam control rely on a lis=
t of=20
>IP address.
>
>IPv6 adds an entirely new aspect to it.
Really? It ain't that hard. Who in this list is going to set up generic P=
TRs=20
for all your v6 space? Good luck shoving 2^64 addresses in a zone file, so=
=20
you're doing it programmatically; quick show up of hands for anybody actual=
ly=20
doing generic v6 PTRs? So, we're doing PTRs on an as-needed basis, e.g. ro=
uter=20
interface primary addresses (for traceroute prettiness), mail servers, etc.=
=20
You try sending me email on v6 without a PTR, you're going to have to make =
a=20
pretty damned convincing case for why I should accept mail from you.
If you want to do address-based reputations for v6 similar to v4, my guess =
is=20
that it will start to aggregate to at least the /64 boundary (i.e. if you h=
ave=20
a spambot in your /64, that block starts to get a bad reputation and any ot=
her=20
hosts in that block are less likely to have their mail accepted). So, ther=
e's=20
risk of collateral damage, but no more (and probably less) than the v4=20
equivalent where any hosts sitting NAT'd behind a single IP are blacklisted=
=2E =20
In this v6 equivalent, you could probably even get away with whitelisting a=
=20
single, trusted IP in that /64 while the remainder of the /64 has a bad rep.
If you mean that e.g. you have a spambot that's using SLAAC and so can/will=
=20
bounce around to different GUAs all over the place and so get around=20
blacklisting, I would venture aggregating at the /64 level should take care=
of=20
that; each additional IP within that block that's found to be spamming adds=
=20
another hit to the block's reputation.
IP addresses and sender reputation do form a part of spam identification, b=
ut=20
TBH so far I'm only seeing ways in which GUA helps *improve* the granularit=
y at=20
which those tools can be applied in order to reduce false positives. Grant=
ed,=20
I haven't yet considered IP-based RBLs in v6 extensively, so I'm open to=20
insights on this.
--
Hugo
On 2014-03-25, Alexander Lopez <alex.lopez@opsys.com> wrote:
>
>
>> -----Original Message-----
>> From: Naslund, Steve [mailto:SNaslund@medline.com]
>> Sent: Monday, March 24, 2014 10:48 PM
>> To: Owen DeLong; mark.tinka@seacom.mu
>> Cc: nanog@nanog.org
>> Subject: RE: misunderstanding scale
>>
>> Look at it this way. If I see an attack coming from behind your NAT, I'=
m gonna
>> deny all traffic coming from your NAT block until you assure me you have=
it
>> fixed because I have no way of knowing which host it is coming from. Now
>> your whole network is unreachable. If you have a compromised GUA host I
>> can block only him. Better for both of us, no?
>
>That is assuming that the infected piece does not request another address =
in the /64, and that the person blocking at the target end blocks a /128 in=
stead of the /64.
>
>>
>> How about a single host spamming behind your NAT blocking your entire
>> corporate public network from email services? Anyone ever see that one.
>> Ipv6 GUAs allow us to use fly swatters instead of sledgehammers to deal
>> with that.
>
>I don't want to try to even think about SMTP on IPv6. Reputation of email =
servers as well as the whole thought process of spam control rely on a list=
of IP address.
>
>IPv6 adds an entirely new aspect to it.
>
>>
>> Maybe GUAs will convince (scare) more enterprise users to actually treat=
the
>> internal network as an environment that needs to be secured as well. We
>> can only hope.
>>
>Most enterprise admins, segment their BYOD (wifi) network from the product=
ion network. Some will even use a different WAN ip for the wifi network or =
in the minimum block outbound request to well known services ports.
>
>I generally see where the only outbound connections allowed are http and h=
ttps. All other ports are blocked.
>
>> Steven Naslund
>>
>>
>> >>Bzzzt... But thanks for playing.
>>
>> >>An IPv6 host with a GUA behind a stateful firewall with default deny is
>> every bit as secure as an iPv4 host with an RFC-1918 address behind a NA=
T44
>> gateway.
>
>I can't argue there.....
>
>
>>
>> >>Owen
>>
>>
>
>
