IPv6 filtering (was Re: IPv6 internet broken, cogent/telia/hurricane not peering)

Jeroen Massar jeroen at unfix.org
Mon Oct 12 19:40:57 UTC 2009

Marco Hogewoning wrote:
> As this thread has drifted off topic any way, would it for instance be a
> good idea to simply not accept mail from hosts that clearly use
> autoconfig ie reject all smtp from EUI-64 addresses

Can you please *NOT* suggest people *STUPID* ideas like filtering on
arbitrary bits inside an address!? Thank you.

I hope that you realize that stupid people will use these kind of
practices and then "forget" to update them when they are actually
realize that they are just that: stupid.

Just a note: it is very useful to be able to just throw boxes in an
ethernet, bootp them and assign them a function. This is how most large
scale ISPs work, maybe no yours but there are lots that do. Assigning
addresses using a stateless method like RA is suddenly a god-given.

Of course if you do not want to receive mail from anybody, just don't
use the Internet.

> Of course not a
> wise idea for your own outbound relays which should handle mail from
> your customers but on the incoming side it might as well save a lot of
> headache and there is no need to keep track of which /64 are access
> networks.

Just use a *DYNAMIC* RBL, aka one which updates, aka the same system as
currently in use on IPv4. These will most likely start blocking per /64,
and when reaching a certain amount of /64s /48, will block the /48 and
when reaching a certain amount of /48s per /32 just block out the whole /32.

Of course other current "IPv4" practices for fending of botted hosts
 - require a valid and correct SMTP conversation
 - require HELO/EHLO + that the given hostname properly forward +
   reverses and matches the host that is connecting
   (this simple check cuts out most botted hosts)
 - Score sending hosts and message based on RBL and message content
   (aka use spamassassin and keep your rules up to date)

For IPv6 nothing changes, the only thing that might change is that RBLs
will take above policy, aggregating their prefixes to avoid hosts that
swap addresses inside a /64, /48 or even a complete /32 to spam the
world. This is also a good thing, because ISPs who keep their network
clean will not go into the RBL, just like in IPv4.

or in postfix config something like:
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_restrictions = reject_unauth_pipelining,
reject_unknown_recipient_domain, permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination, check_recipient_maps

smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_unauth_pipelining, permit_mynetworks
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname,
reject_unknown_hostname, reject_invalid_hostname, reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_client_restrictions = permit_mynetworks

Problem solved. Happy internetting....

 (Who indeed is not calling Marco stupid, as he is one of those people
  who is not stupid, he sometimes just has a wrong idea, just like me ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20091012/4ddc1d2a/attachment.sig>

More information about the NANOG mailing list