owen at delong.com
Wed Mar 26 05:31:25 UTC 2014
>> IPv6 adds an entirely new aspect to it.
> Well, if you mean the entirely new aspect is a list of hex addresses instead of dotted decimal addresses I guess so. I personally would rather have a list of actual end system addresses than a list of addresses that represent a mail server and several thousand other innocent devices behind a NAT. Might be easier to tell the system owner which system is compromised than to call a large company and tell them one of their systems is compromised. It would also be nice to be able to allow legitimate email to a business partner while blocking his compromised system only.
I thin the new dimension is that a spammer today who manages to snag a /8 has 16.7 million addresses to play with. Even if he forces you to add each and every one to your list, that’s a few megabytes for a VERY large IPv4 block.
OTOH, a spammer with a single /64, pretty much the absolute minimum IPv6 block, has more than 18 quintillion addresses and there’s not a computer on the planet with enough memory (or probably not even enough disk space) to store that block list.
Sometimes scale is everything. host-based reputation lists scale easily to 3.2 billion host addresses. IPv6, not so easily.
More information about the NANOG