Re: [Asrg] DNSBL and IPv6
"Peter J. Holzer" <hjp-asrg@hjp.at> Sat, 20 October 2012 07:30 UTC
Return-Path: <hjp-asrg@hjp.at>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id C434E21F860F for <asrg@ietfa.amsl.com>;
Sat, 20 Oct 2012 00:30:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.43
X-Spam-Level:
X-Spam-Status: No,
score=-1.43 tagged_above=-999 required=5 tests=[BAYES_00=-2.599,
HELO_EQ_AT=0.424, HOST_EQ_AT=0.745]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-D5pG8dHQNz for
<asrg@ietfa.amsl.com>; Sat, 20 Oct 2012 00:30:35 -0700 (PDT)
Received: from zeno.hjp.at (ns1.hjp.at [212.17.106.132]) by ietfa.amsl.com
(Postfix) with ESMTP id 5517921F85F5 for <asrg@irtf.org>;
Sat, 20 Oct 2012 00:30:34 -0700 (PDT)
Received: by zeno.hjp.at (Postfix, from userid 1000) id ECEBC400F;
Sat, 20 Oct 2012 09:30:31 +0200 (CEST)
Date: Sat, 20 Oct 2012 09:30:31 +0200
From: "Peter J. Holzer" <hjp-asrg@hjp.at>
To: asrg@irtf.org
Message-ID: <20121020073031.GA3248@hjp.at>
References: <20121019224131.28382.qmail@joyce.lan>
<5081EF6F.9030808@hireahit.com>
<5C0A004C-1BAD-4103-85C2-B94B718F0367@blighty.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+"
Content-Disposition: inline
In-Reply-To: <5C0A004C-1BAD-4103-85C2-B94B718F0367@blighty.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [Asrg] DNSBL and IPv6
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>,
<mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>,
<mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Oct 2012 07:30:36 -0000
On 2012-10-19 17:38:16 -0700, Steve Atkins wrote: > On Oct 19, 2012, at 5:25 PM, Dave Warren <lists@hireahit.com> wrote: > > I'm less worried about those that lie outright than those that just > > don't care either by not bothering to specify a policy at all > > (unless it becomes mandatory somehow), or have more granularity than > > can be clearly specified in a single policy. > > > > For example, their policy might be to allocate at the /64 level, but > > unless they also prohibit customers from obtaining more than one > > /64... > > The ability for customers to obtain more than one IPv4 /32 hasn't been > too complex an issue for blacklist operators to deal with. Any > blacklist operator who's successfully running an IPv4 blacklist can > surely come up with reasonable (or unreasonable, I won't judge…) > policies for IPv6. > > The only relevant difference between v4 and v6 DNS based blacklisting > is that the ability to easily hop around *within* your /64 makes it > possible (easy) to blow the cache of a traditional caching DNS > resolver if you do naive "look up a record based on the IPv6 address". A simple (maybe naive) idea to reduce cache poisoning would be to do some kind of greylisting before doing the lookup: If you haven't seen the address before, simply return a temporary error. If you have seen it (within some time window), do the lookup. Is there a reason why a legitimate MTA (talking to MXs, not submission servers) would want to hop around in its net? * IPv6 privacy extensions might be turned on by default and the admin might not bother to turn them off, but I think they are too slow to prevent delivery (although it will slow down most mails) * An admin of an MTA serving many customers might want to use a different IP address for each customer. But from the outside that would just look like one MTA per customer, not a single MTA hopping around > That doesn't affect the viability of source address based > blacklisting. It doesn't affect the viability of distributing that > data as DNS zone files (they suck for both v4 and v6, but they're > usable). There are many more IPv6 addresses and even /64 nets than IPv4 addresses. It's theoretically possible to ship around a zone file with /all/ IPv4 addresses (that would be less than 100GB). This isn't remotely possible for IPv6 space. It might be possible for allocated /64 nets depending on how they are allocated (if every cell phone gets a /48 ...). If you go down to the /128 level, a spammer doing the hopping maneuvre could blow up your zone file beyond any reasonable limit. > And it doesn't affect the viability of using DNS as the > communication channel between an MX and a local authoritative > blacklist server. [...] Right. hp -- _ | Peter J. Holzer | Der eigene Verstand bleibt gefühlt messer- |_|_) | Sysadmin WSR | scharf. Aber die restliche Welt blickt's | | | hjp@hjp.at | immer weniger. __/ | http://www.hjp.at/ | -- Matthias Kohrs in desd
- [Asrg] DNSBL and IPv6 Mikael Abrahamsson
- Re: [Asrg] DNSBL and IPv6 Matthias Leisi
- Re: [Asrg] DNSBL and IPv6 Mikael Abrahamsson
- Re: [Asrg] DNSBL and IPv6 John Levine
- Re: [Asrg] DNSBL and IPv6 Dave Warren
- Re: [Asrg] DNSBL and IPv6 Steve Atkins
- Re: [Asrg] DNSBL and IPv6 Mikael Abrahamsson
- Re: [Asrg] DNSBL and IPv6 Matthias Leisi
- Re: [Asrg] DNSBL and IPv6 Peter J. Holzer
- Re: [Asrg] DNSBL and IPv6 Bart Schaefer
- Re: [Asrg] DNSBL and IPv6 John Levine
- Re: [Asrg] DNSBL and IPv6 John Levine
- Re: [Asrg] DNSBL and IPv6 Peter J. Holzer
- Re: [Asrg] DNSBL and IPv6 Peter J. Holzer
- Re: [Asrg] DNSBL and IPv6 John Levine
- Re: [Asrg] DNSBL and IPv6 Tim Chown
- Re: [Asrg] DNSBL and IPv6 Hal Murray
- Re: [Asrg] DNSBL and IPv6 John Levine
- Re: [Asrg] DNSBL and IPv6 Steve Atkins
- Re: [Asrg] DNSBL and IPv6 Paul Smith
- Re: [Asrg] DNSBL and IPv6 Martijn Grooten
- Re: [Asrg] DNSBL and IPv6 Matthias Leisi
- Re: [Asrg] DNSBL and IPv6 John Levine
- Re: [Asrg] DNSBL and IPv6 Rob McEwen
- Re: [Asrg] DNSBL and IPv6 Emanuele Balla (aka Skull)
- Re: [Asrg] DNSBL and IPv6 Emanuele Balla (aka Skull)
- Re: [Asrg] DNSBL and IPv6 Paul Smith
- Re: [Asrg] DNSBL and IPv6 Rob McEwen
- Re: [Asrg] DNSBL and IPv6 Emanuele Balla (aka Skull)
- Re: [Asrg] DNSBL and IPv6 Rob McEwen
- Re: [Asrg] DNSBL and IPv6 Paul Smith
- Re: [Asrg] DNSBL and IPv6 Emanuele Balla (aka Skull)
- Re: [Asrg] DNSBL and IPv6 Paul Smith
- Re: [Asrg] DNSBL and IPv6 Scott Howard
- Re: [Asrg] DNSBL and IPv6 Hal Murray
- Re: [Asrg] DNSBL and IPv6 Emanuele Balla (aka Skull)
- Re: [Asrg] DNSBL and IPv6 Mikael Abrahamsson
- Re: [Asrg] DNSBL and IPv6 Matthias Leisi
- Re: [Asrg] DNSBL and IPv6 Matthias Leisi
- Re: [Asrg] DNSBL and IPv6 Paul Smith
- Re: [Asrg] DNSBL and IPv6 Jeff Macdonald
- Re: [Asrg] DNSBL and IPv6 John Levine