IETF Logo Mail Archive

Re: [Asrg] DNSBL and IPv6

Steve Atkins <steve@blighty.com> Sat, 20 October 2012 00:38 UTC

Return-Path: <steve@blighty.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99F1B21F8BB4 for <asrg@ietfa.amsl.com>; Fri, 19 Oct 2012 17:38:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RCkv8u66jd3e for <asrg@ietfa.amsl.com>; Fri, 19 Oct 2012 17:38:18 -0700 (PDT)
Received: from m.wordtothewise.com (misc.wordtothewise.com [184.105.179.154]) by ietfa.amsl.com (Postfix) with ESMTP id C297E21F8BB3 for <asrg@irtf.org>; Fri, 19 Oct 2012 17:38:18 -0700 (PDT)
Received: from [192.168.80.56] (204.11.227.194.static.etheric.net [204.11.227.194]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: steve) by m.wordtothewise.com (Postfix) with ESMTPSA id 0560F2EADE for <asrg@irtf.org>; Fri, 19 Oct 2012 17:38:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wordtothewise.com; s=1.wttw; t=1350693498; bh=f85MGHDjrl5iBqbnl70K+HHdEAc4YUZ8l5bUrh1Mj6s=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date: Content-Transfer-Encoding:Message-Id:References:To; b=lFQoh3D+IA+XNMge72N7pVcLlxfJIgqt33FmWXYBqfoe9zE9TX5kYwPZZ4mDO7Njh m9aWoOCQ4gNWzscyZvftUm2pnVUmvr3bbmg8NXek8diPYy1uKyO0sDMRga8ivb7Hw4 KmX/Ir3/4qz4YE3KfxWEazPs8yiS3QYxS/aB6wuk=
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: Steve Atkins <steve@blighty.com>
In-Reply-To: <5081EF6F.9030808@hireahit.com>
Date: Fri, 19 Oct 2012 17:38:16 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <5C0A004C-1BAD-4103-85C2-B94B718F0367@blighty.com>
References: <20121019224131.28382.qmail@joyce.lan> <5081EF6F.9030808@hireahit.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
X-Mailer: Apple Mail (2.1499)
Subject: Re: [Asrg] DNSBL and IPv6
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Oct 2012 00:38:19 -0000

On Oct 19, 2012, at 5:25 PM, Dave Warren <lists@hireahit.com> wrote:

> On 10/19/2012 15:41, John Levine wrote:
>>>> What I feel needs to happen is that policy needs to put in place to RIRs
>>>> (via ISPs) can present "what is a customer" on a network level, and then
>>>> this information can be put into DNS somehow, and used for DNSBL.
>> Yeah, I've been talking to people on and off about this for over a
>> year.  Even though providers can lie about their allocation
>> granularity, most won't, and the ones that lie would probably merit
>> total blocking anyway.
> 
> I'm less worried about those that lie outright than those that just don't care either by not bothering to specify a policy at all (unless it becomes mandatory somehow), or have more granularity than can be clearly specified in a single policy.
> 
> For example, their policy might be to allocate at the /64 level, but unless they also prohibit customers from obtaining more than one /64...

The ability for customers to obtain more than one IPv4 /32 hasn't been too complex an issue for blacklist operators to deal with. Any blacklist operator who's successfully running an IPv4 blacklist can surely come up with reasonable (or unreasonable, I won't judge…) policies for IPv6.

The only relevant difference between v4 and v6 DNS based blacklisting is that the ability to easily hop around *within* your /64 makes it possible (easy) to blow the cache of a traditional caching DNS resolver if you do naive "look up a record based on the IPv6 address".

That doesn't affect the viability of source address based blacklisting. It doesn't affect the viability of distributing that data as DNS zone files (they suck for both v4 and v6, but they're usable). And it doesn't affect the viability of using DNS as the communication channel between an MX and a local authoritative blacklist server.

But it does mean that anyone wanting a recursive resolver in their distribution path might have to refine the process a little - which is what I assume John is looking at. 

(I'm betting that "mask the bottom 64 bits before querying" would work just fine, but I don't think we have enough v6 space in use yet to say for sure.)

Cheers,
  Steve

v2.8.7 | Report a Bug | By Email