Re: [Asrg] DNSBL and IPv6

[Paul Smith <paul@pscs.co.uk>]

On 26/10/2012 14:32, Matthias Leisi wrote:
> On Fri, Oct 26, 2012 at 3:27 PM, Mikael Abrahamsson <swmike@swm.pp.se> wrote:
>
>> I believe it's going to be common enough that legitimate MTAs will move
>> around within their /64 quite frequently (privacy extensions that are
> Using a /64 as a default seems reasonable, but a new standard for
> DNSxL lookups should provide some flexibility, either for a full list
> ("default prefix length = /56") or on a more granular level (using
> John L.'s original proposal, or some other useful method).
>

The problem with a /64 for black/white listing is that it's not quite 
the same as an IPv4 /32. So, at the moment we may have a /25 or /26 
block, but we'd still have a single IPv6 /64

We may run 50 customer dedicated  mail servers on our /64 block, and 
ideally we'd want each to have their own reputation. So, we couldn't do 
this if DNSBL/WL filtering is on a /64 block. With our current IPv4 /26 
each customer's server would have it's own reputation on an IPv4 DNSBL/WL.

Obviously we couldn't say what level of granularity we'd want, or 
spammers would just say 'we want /128 granularity', to overload everything.

We could (theoretically) get a /48 block, but that would be a waste (I 
know there are LOTS of /48's out there, but still), since we wouldn't 
need it for routing, just for making it work with /64 based 
black/whitelisting.

I can't think of a good answer to this, but our case is a use case which 
isn't going to be that unusual.



-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53