Ah, I see the problem. You're assuming that spammers will follow the rules. That's a poor assumption.
>> The IPv6 address space is big. Very, very big. Even if you chop it >> in half to /64s, it is still four billion times bigger than the v4 >> address space. Bad guys hopping around /64s will blow out your DNS >> cache just as badly as hopping around /128s. > >No, since the number of total host numbers in a /64 is vastly larger >than in a /128, if you hold to single number queries then it will blow >it out far far faster. I suppose that's technically correct, in the sense that blowing out in a millisecond is faster than blowing it out in a minute, but that hardly matters to people running DNS caches. Let's do a thought experiment: imagine you have a big honking DNS cache with 100 billion slots. If we had a BL with one potential entry per /64 (keeping in mind that a cache remembers both successful and failed queries), how much of the address space can you query before your cache fills up? Answer 0.00000054% Kaboom! >Well for starters it almost sounds to me like your not that familiar >with IPv6 to even say this. The lower 64 bits of the address is the >interface identifier, and the upper 64 bits is the sub-network >prefix. If you use SAA, sure. If you use DHCP, the address layout is whatever it is. > It is extremely abnormal for a host to change it's MAC address every > few milliseconds, so the idea that a spammer could cycle through the > lower /64 using 1 address per message is in the realm of extreme > improbability. Like I said, you're making the poor assumption that spammers will follow your rules. In reality, they'll do whatever they think will get their spam through. > The only reason to run around saying the sky is falling is if your >coming at this from the point of view that it would be a normal thing >to see packets from the same /64 that have many different interface >identifiers, which there is no logical need for this to ever happen. Like I said, you're making the poor assumption that spammers will follow your rules. In reality, they'll do whatever they think will get their spam through. >You would be better off starting with the assumption that the >existing design is fine, but that it needs adjusting for the new >circumstances for IPv6. I did that. It doesn't work. R's, John
