IETF Logo Mail Archive

Re: [Asrg] DNSBL and IPv6

"Peter J. Holzer" <hjp-asrg@hjp.at> Sat, 20 October 2012 07:30 UTC

Return-Path: <hjp-asrg@hjp.at>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C434E21F860F for <asrg@ietfa.amsl.com>; Sat, 20 Oct 2012 00:30:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.43
X-Spam-Level:
X-Spam-Status: No, score=-1.43 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_AT=0.424, HOST_EQ_AT=0.745]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-D5pG8dHQNz for <asrg@ietfa.amsl.com>; Sat, 20 Oct 2012 00:30:35 -0700 (PDT)
Received: from zeno.hjp.at (ns1.hjp.at [212.17.106.132]) by ietfa.amsl.com (Postfix) with ESMTP id 5517921F85F5 for <asrg@irtf.org>; Sat, 20 Oct 2012 00:30:34 -0700 (PDT)
Received: by zeno.hjp.at (Postfix, from userid 1000) id ECEBC400F; Sat, 20 Oct 2012 09:30:31 +0200 (CEST)
Date: Sat, 20 Oct 2012 09:30:31 +0200
From: "Peter J. Holzer" <hjp-asrg@hjp.at>
To: asrg@irtf.org
Message-ID: <20121020073031.GA3248@hjp.at>
References: <20121019224131.28382.qmail@joyce.lan> <5081EF6F.9030808@hireahit.com> <5C0A004C-1BAD-4103-85C2-B94B718F0367@blighty.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+"
Content-Disposition: inline
In-Reply-To: <5C0A004C-1BAD-4103-85C2-B94B718F0367@blighty.com>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [Asrg] DNSBL and IPv6
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Oct 2012 07:30:36 -0000

On 2012-10-19 17:38:16 -0700, Steve Atkins wrote:
> On Oct 19, 2012, at 5:25 PM, Dave Warren <lists@hireahit.com> wrote:
> > I'm less worried about those that lie outright than those that just
> > don't care either by not bothering to specify a policy at all
> > (unless it becomes mandatory somehow), or have more granularity than
> > can be clearly specified in a single policy.
> > 
> > For example, their policy might be to allocate at the /64 level, but
> > unless they also prohibit customers from obtaining more than one
> > /64...
> 
> The ability for customers to obtain more than one IPv4 /32 hasn't been
> too complex an issue for blacklist operators to deal with. Any
> blacklist operator who's successfully running an IPv4 blacklist can
> surely come up with reasonable (or unreasonable, I won't judge…)
> policies for IPv6.
> 
> The only relevant difference between v4 and v6 DNS based blacklisting
> is that the ability to easily hop around *within* your /64 makes it
> possible (easy) to blow the cache of a traditional caching DNS
> resolver if you do naive "look up a record based on the IPv6 address".

A simple (maybe naive) idea to reduce cache poisoning would be to do
some kind of greylisting before doing the lookup: If you haven't seen
the address before, simply return a temporary error. If you have seen
it (within some time window), do the lookup. 

Is there a reason why a legitimate MTA (talking to MXs, not submission
servers) would want to hop around in its net?

 * IPv6 privacy extensions might be turned on by default and the admin
   might not bother to turn them off, but I think they are too slow to
   prevent delivery (although it will slow down most mails)
 * An admin of an MTA serving many customers might want to use a
   different IP address for each customer. But from the outside that 
   would just look like one MTA per customer, not a single MTA hopping
   around


> That doesn't affect the viability of source address based
> blacklisting. It doesn't affect the viability of distributing that
> data as DNS zone files (they suck for both v4 and v6, but they're
> usable).

There are many more IPv6 addresses and even /64 nets than IPv4
addresses. It's theoretically possible to ship around a zone file with
/all/ IPv4 addresses (that would be less than 100GB). This isn't remotely 
possible for IPv6 space. It might be possible for allocated /64 nets
depending on how they are allocated (if every cell phone gets a /48 ...).
If you go down to the /128 level, a spammer doing the hopping maneuvre
could blow up your zone file beyond any reasonable limit.

> And it doesn't affect the viability of using DNS as the
> communication channel between an MX and a local authoritative
> blacklist server.
[...]

Right.

	hp

-- 
   _  | Peter J. Holzer    | Der eigene Verstand bleibt gefühlt messer-
|_|_) | Sysadmin WSR       | scharf. Aber die restliche Welt blickt's
| |   | hjp@hjp.at         | immer weniger.
__/   | http://www.hjp.at/ |   -- Matthias Kohrs in desd

v2.8.7 | Report a Bug | By Email