DaemonForums - View Single Post - IPv6 and address reputation management: blocklists, &c.

jggimi · #1 **(View Single Post)** 17th January 2017

As noted I have just deployed IPv6 on a personal network. That was so I could reach a production server I've also just deployed with IPv6.

With this very small deployment, I have been assigned 2 /64 IPv6 subnets by two ISPs.
For those unfamiliar with IPv6, that is a lot of addresses. If I've done the math right, two /64 subnets is 3.69e+19 addresses. Nearly 37 septillion addresses. Specifically: 36,893,488,148,419,103,232 unique IP addresses.

So I'm musing on IP blocklists of all kinds, since there are an (effectively) limitless number of IP addresses. Even non-abusers will change addresses from nearly limitless pools, as NICs with autoconfiguration privacy extensions change the outbound address frequently.

For IPv4, we have many IP-based reputation lists: blocklists of prior abusers. Blacklists of known abusers. Greylists of possible abusers. And whitelists of assumed non-abusers.

But it has me wondering. Regarding Email, for example, Spamhous says:

Quote:

Originally Posted by Spamhaus

IPv6 presents significant new challenges for mail systems compared to IPv4. Most importantly, the vast size of the IPv6 space means that approaches that work in IPv4 do not necessarily scale to IPv6. For example, a sender could easily do "spread spectrum" spamming, using a different IP address for every message. Thus a major issue with current DNS based blocklist querying is the memory cache size of DNS resolvers in comparison to the vast numbers of IP addresses spammers will be able to use in IPv6. Although we think we understand the likely issues, neither we nor anyone really knows how both legitimate mail and spam will use IPv6.

Are you managing IPv6 networks today? If so, how are you managing abuse? Blocking entire /64 prefixes? Blocking individual addresses? And if the latter, are you seeing repeat offenders from the same /64?

I'm not doing anything different for IPv6 -- yet. But it's a new server, and I haven't seen any IPv6 abuse in my logs ... so far. Other than my own connection tests, I'm only seeing Google connections to the server using IPv6.