[184324] in North American Network Operators' Group
Re: How to wish you hadn't forced ipv6 adoption (was "How to force
daemon@ATHENA.MIT.EDU (Rob McEwen)
Thu Oct 1 23:58:17 2015
X-Original-To: nanog@nanog.org
To: nanog group <nanog@nanog.org>
From: Rob McEwen <rob@invaluement.com>
Date: Thu, 1 Oct 2015 23:58:12 -0400
In-Reply-To: <20151002034402.1201F39225D0@rock.dv.isc.org>
Errors-To: nanog-bounces@nanog.org
On 10/1/2015 11:44 PM, Mark Andrews wrote:
> IPv6 really isn't much different to IPv4. You use sites /48's
> rather than addresses /32's (which are effectively sites). ISP's
> still need to justify their address space allocations to RIR's so
> their isn't infinite numbers of sites that a spammer can get.
A /48 can be subdivided into 65K subnets. That is 65 *THOUSAND*... not
the 256 IPs that one gets with an IPv4 /24 block. So if a somewhat legit
hoster assigns various /64s to DIFFERENT customers of theirs... that is
a lot of collateral damage that would be caused by listing at the /48
level, should just one customer be a bad-apple spammer, or just one
legit customer have a compromised system one day.
Conversely, if a more blackhat ESP did this, but it was unclear that
this was a blackhat sender until much later.. then LOTS of spam would
get a "free pass" as individual /64s were blacklisted AFTER-THE-FACT,
with the spammy ESP still having LOTS of /64s to spare.. remember, they
started with 65 THOUSAND /64 blocks for that one /48 allocation (Sure,
it would eventually become clear that the whole /48 should be blacklisted).
other gray-hat situations between these two extremes can be even more
frustrating because you then have the same "free passes" that the
blackhat ESP gets... but you can't list the whole /48 without too much
collateral damage.
SUMMARY: So even if you moved into blocking at the /64 level, the
spammers have STILL gained an order of magnitudes advantage over the
IPv4 world.... any way you slice it. And blocking at the /48 level WOULD
cause too much collateral damage if don't indiscriminately.
And this is assuming that individual IPs are NEVER assigned individually
(or in smaller-than-/64-allocations) . (maybe that is a safe assumption?
I don't know? regardless, even if that were a safe assumption, the
spammers STILL have gained a massive advantage)
--
Rob McEwen
+1 478-475-9032
