On 25/11/2021 14:22, Mary via mailop wrote:
But that is not a real solution is it?
Maybe linode and spamhaus can come up with a better solution between them?
Why is it not a real solution?
It's a bigger problem than Linode and Spamhaus. (I refer to Linode
in my writings, but I don't mean to single them out. It could refer to
any VM or hosting provider)
And in a way it is because the address space numbers (and maths) for
IPv6 are so completely bonkers, it takes a big of getting used to.
There have been various ideas floated over the years to declare the
allocation size in a way that improves on what is in the whois data or
RIPE database. I don't think any have really worked.
The theory being a spam blocker could look up an IP address and see what
size netblocks are allocated to customers. So how wide to block to stop
the customer just swapping to one of the other 18446744073709551616 IP
addresses a typically IPv6 user with a /64 has.
2001:db8:1::/48 - > in here, customers are each given a /64
So 2001:db8::1 and 2001:db8::2 will be the same customer/VM just with 2
IP's on the machine. If one is spamming, maybe don't trust the other.
2001:db8:2::/48 -> in here, customers are each given a /128
so 2001:db8:2::1 and 2001:db8:2::2 are 2 absolutely completely unrelated
customers and so if ::1 is spamming, this is no indication about what
::2 might be doing (except that maybe if it keeps going a long time, the
provider is not proactive in kicking off spammy customers)
But I don't think any of these schemes really got off the ground. Is
it realistic to do some kind of lookup everytime you want to drop in a
firewall rule or some kind of blocklist (or be less trusting list)? I
don't think the whois system could scale that well to the numbre of
lookups. Ok, my home /48 is in RIPE saying I have a /48 allocation, but
my ISP happens to be good at keeping the RIPE DB up to date and they
like the detail in RIPE. Other ISPs have way less complete data.
In reality IPv6 addresses are abundant and even consumer services like
SKY are allocating a /56 (256 lots of /64) to every single home customer.
So probably just easier for VM providers to dish out /64 per paying
customer or VM. Or at least make it really easy for a customer who
needs it just request a /64. And let everybody block on /64. Linode's
/32 allocation allows for 4,294,967,296 customers to have their own /64
network. (ok, less than this, some grouping to make their internal
routing table easier, network segmentation, different datacentres....)
And if you think that isn't enough, linode have at least 13 x /32
allocations. See https://bgp.he.net/AS63949#_prefixes6 They aren't
exactly short of address space. :) I'm sure linode could to go RIPE
and ask for more space too. (if Linode go past 52 billion customers,
give me a call)
--
Tim Bray
Huddersfield, GB
t...@kooky.org
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
