IPv6 Ignorance

Timothy Morizot tmorizot at gmail.com
Mon Sep 17 00:26:22 UTC 2012


On Sep 16, 2012 6:58 PM, "John R. Levine" <johnl at iecc.com> wrote:
>>>
>>> IPv6 has its problems, but running out of addresses is not one of them.
>>> For those of us worried about abuse management, the problem is the
>>> opposite, even the current tiny sliver of addresses is so huge that
>>> techniques from IPv4 to map who's doing what where don't scale.
>>
>>
>> Well, in IPv4...  NAT broke it, because  networks implementing 1:many
>> NAT could no longer easily identify what host was responsible for abuse.
>
>
> I realize that's a problem in theory, in practice it's not because it's
still rare to have interestingly different hosts behind a single NAT.
>
>
>> What do you mean by suggesting IPv4 abuse management techniques to map
whose doing what, where do not scale to IPv6's larger address space?
>
>
> Large networks keep separate reputation for every address in the IPv4
address space based on the traffic they send.  You can't do that in IPv6,
particularly since hostile bots can easily hop around within a /64, which
is bad news if that /64 also has some legit hosts.

Of course, as soon as CGN (or LSN or NAT444) is added to IPv4 the same
problem exists in practice as well as theory. So old practices will have to
be improved and replaced regardless.



More information about the NANOG mailing list