why IPv6 isn't ready for prime time, SMTP edition

John Levine johnl at iecc.com
Tue Mar 25 17:23:28 UTC 2014


>If you want to do address-based reputations for v6 similar to v4, my guess is 
>that it will start to aggregate to at least the /64 boundary ...

It says a lot about the state of the art that people are still making
uninformed guesses like this, non ironically.

On the one hand /64 is too coarse, because there are hosting providers
that put multiple customers in a single /64.  If you filter at that
granularity, you'll get a lot of false positives and collateral
damage.  (When asked why they did something that dumb, they've tended
to blame equipment vendors.)

On the other hand, /64 is much too fine.  Roadrunner assigns my cable
connection a /50*, so even if you're aggregating at /64, there are now
16K different incarnations of me to block, instead of the one in IPv4.
Businesses typically get a /48 so they have 64K incarnations.  It
would be nice if there were an efficient and reliable way to ask
networks what their customer suballocation size is, but there isn't,
so you have to hope rwhois will work and be fast enough, or guess,
often guessing wrong.  There also isn't any agreed way to publish
DNSBLs with variable size ranges other than rsync'ing the whole file.

IANA has handed out /12s to the RIRs, so each of those is 2^52 /64s,
a number that's way out in the absurd-o-sphere.

Large mail providers all agree that v6 senders need to follow good
mail discipline, but are far from agreeing what that means.  It
certainly means proper rDNS, but does it mean SPF?  DKIM on all the
mail?  TLS on the connections?  At this point, I don't know and
neither does anyone else.  Fortunately we have at least another decade
of full IPv4 mail connectivity to figure it out.

For anyone who points out that v6 mail works now, you're right, it
does, but that's only because botnets don't use it yet other than
occasionally by accident on dual stacked hosts so the amount of spam
is much lower than on ipv4 and there isn't much address hopping.  With
any luck they never will, since bot mail still works OK for them on
v4, but if they do, and they start doing address hopping, it'll be
really ugly.

R's,
John

* - yes, it's a /50, their rwhois says so.  And I know because
whenever my modem reboots, it assigns me a /64 more or less at random
from that /50 even though they tell me it's supposed to keep giving me
the same one.  See prior comments about mostly working.




More information about the NANOG mailing list