matthias at leisi.net
Thu Mar 27 07:47:59 UTC 2014
On Thu, Mar 27, 2014 at 6:17 AM, Owen DeLong <owen at delong.com> wrote:
> > It only takes a single entry if you do not store /128s but that /64. Yes,
> > RBL lookups do not currently know how to handle this, but there are a
> > couple of good proposals around on how to do it.
> Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat.
> Admittedly, /48s are only 65,536 RBL entries per, but I still think that
> reputations are a losing battle in an IPv6 world unless we provide some
> way for providers
> to hint at block sizes.
That's why I believe having varying levels of granularity is the best trade
off between cache friendliness, administrative effort and implementation
complexity, independent on whether it's "default deny" or "default accept".
We either need to solve (or reduce the impact of) the DNS cache issue or we
need to solve the fixed-range issue.
Or IP-based reputation as we know it today is more or less dropped from the
anti-spam toolset when it comes to IPv6.
More information about the NANOG