On Thu, Mar 27, 2014 at 6:17 AM, Owen DeLong <owen@delong.com> wrote:
It only takes a single entry if you do not store /128s but that /64. Yes, RBL lookups do not currently know how to handle this, but there are a couple of good proposals around on how to do it.
Then the spammers will grab /48s instead of /64s. Lather, rinse, repeat.
Admittedly, /48s are only 65,536 RBL entries per, but I still think that address-based reputations are a losing battle in an IPv6 world unless we provide some way for providers to hint at block sizes.
That's why I believe having varying levels of granularity is the best trade off between cache friendliness, administrative effort and implementation complexity, independent on whether it's "default deny" or "default accept". We either need to solve (or reduce the impact of) the DNS cache issue or we need to solve the fixed-range issue. Or IP-based reputation as we know it today is more or less dropped from the anti-spam toolset when it comes to IPv6. -- Matthias