[184395] in North American Network Operators' Group
Re: How to wish you hadn't forced ipv6 adoption (was "How to force
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Oct 2 14:32:19 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <560E00D4.7090400@invaluement.com>
Date: Fri, 2 Oct 2015 11:31:02 -0700
To: Rob McEwen <rob@invaluement.com>
Cc: nanog group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Oct 1, 2015, at 20:58 , Rob McEwen <rob@invaluement.com> wrote:
>=20
> On 10/1/2015 11:44 PM, Mark Andrews wrote:
>> IPv6 really isn't much different to IPv4. You use sites /48's
>> rather than addresses /32's (which are effectively sites). ISP's
>> still need to justify their address space allocations to RIR's so
>> their isn't infinite numbers of sites that a spammer can get.
>=20
> A /48 can be subdivided into 65K subnets. That is 65 *THOUSAND*... not =
the 256 IPs that one gets with an IPv4 /24 block. So if a somewhat legit =
hoster assigns various /64s to DIFFERENT customers of theirs... that is =
a lot of collateral damage that would be caused by listing at the /48 =
level, should just one customer be a bad-apple spammer, or just one =
legit customer have a compromised system one day.
>=20
> Conversely, if a more blackhat ESP did this, but it was unclear that =
this was a blackhat sender until much later.. then LOTS of spam would =
get a "free pass" as individual /64s were blacklisted AFTER-THE-FACT, =
with the spammy ESP still having LOTS of /64s to spare.. remember, they =
started with 65 THOUSAND /64 blocks for that one /48 allocation (Sure, =
it would eventually become clear that the whole /48 should be =
blacklisted).
It seems to me that treating this as a binary all-or-nothing approach =
isn=92t particularly useful.
What about a system where each /48 and each /32 maintained a =93content =
score=94.
Treat /64s as you currently treat /32s (or even /24s) in IPv4.
For every hour that elapsed without sending spam, the score would =
decrement by one.
For each unblocked spam transmitted from within the block, the score =
would increment by one. (IOW, new spam from an already blocked /64 won=92t=
increment the counter).
If the score for a /48 reaches 16, block the /48 and put the /48 into =
the block timer mode.
If the score for a /32 reaches 64, block the /32 and put the /32 into =
the block timer mode.
Block timer mode: In block timer mode, look for 24 consecutive hours =
with an allowable outbound spam send rate, then unblock.
Allowable outbound spam rate could be anything >0 and would probably =
require some tuning. For a /32, I=92d say up to 256 messages per day or =
maybe even 1024 is probably within reason. For a /48, probably more like =
16/day.
> other gray-hat situations between these two extremes can be even more =
frustrating because you then have the same "free passes" that the =
blackhat ESP gets... but you can't list the whole /48 without too much =
collateral damage.
In the proposal above, to achieve a score of 16, you have to have 16 =
different /64s from within your /48 sending bad stuff. Sure, you get a =
little bit of a free pass until the spammer cycles through 16 blocks of =
addresses, but not much because each of those blocks gets shut down =
fairly quickly. If a site has 16 independent /64s compromised or =
spamming, then the collateral damage really isn=92t that heavy and for =
legitimate sites it should serve as reasonable motivation to clean =
things up. For the spammers, they=92re going to need a new /48 pretty =
quickly and that=92s going to be hard to explain to their service =
provider. Especially since that new /48 won=92t last long, either.
For the /32, yes, we=92re talking about lots of collateral damage. Maybe =
64 is too low of a threshold, maybe it should be 256 or even higher, but =
this can be tuned. The point is shut down the individual nets quickly at =
the /64 level to minimize collateral damage, but when =93enough=94 /64s =
within a block are shown to be offensive, consider the entire block =
offensive and move on.
> SUMMARY: So even if you moved into blocking at the /64 level, the =
spammers have STILL gained an order of magnitudes advantage over the =
IPv4 world.... any way you slice it. And blocking at the /48 level WOULD =
cause too much collateral damage if don't indiscriminately.
I=92m not convinced of this. A /48 should be a single end-site. As such, =
any ISP that suffers significant collateral damage from having /48s =
blocked isn=92t allocating addresses according to best operating =
practices. They can easily fix this. Every RIR allows end-site =
assignments at /48 with no questions asked.
> And this is assuming that individual IPs are NEVER assigned =
individually (or in smaller-than-/64-allocations) . (maybe that is a =
safe assumption? I don't know? regardless, even if that were a safe =
assumption, the spammers STILL have gained a massive advantage)
It=92s not a completely safe assumption, but it=92s safe enough.
Owen
