On 10/3/2015 10:35 AM, Scott Morizot wrote:
One of the points in having 64 bits reserved for the host portion of the address is that you never need to think or worry about individual addresses. IPv6 eliminates the address scarcity issue. There's no reason to ever think about how many individual addresses are available on any network. The answer is always more than enough. Instead you think about networks and network size.
One thing that I thought was going to be a huge help with sending-IP blacklists in the IPv6 world... was perhaps shifting to tighter standards and greater reliance for Forward Confirmed rDNS (FCrDNS). For example, already in the IPv4 world, not having a PTR record means that lots of your mail won't get delivered. And not having a PTR record puts a "hair trigger" on your IP as far as getting blacklisted. Furthermore, having a dynamic-formatted PTR record is also a red flag. In contrast, a properly formatted PTR record, that ends in your primary domain name, does two HUGE things: It conveys both IDENTITY and REPUTATION upon that IP. Then FCrDNS follows that up by proving that the PTR record is authentic. Sadly, some very legit sources of e-mail that frustrate customers when blocked.. don't follow these rules... even a few senders with *no* PTR records. Fortunately, those are rare, and are generally handled with whitelistings, etc.--once confirmed to be sending important/desired mail. I was hoping that IPv6 could, if anything, tighten up these standards... ideally, these standards WOULD/SHOULD tighten up... but it looks like IPv6 is going to destroy these standards instead. Why? Because if an anti-spam blacklist is operating according to so many people's suggestions on this thread... and treating a /48 as if it were one IP. (or even a /56 or /64)... and should "not worry about individual addresses"... doesn't it remain true that in the IPv6 world... that PTR records are assigned on an individual IP basis? Or am I wrong and there is some kind of more generic PTR record lookup for a whole /64, or /48? If they are assigned individually, then this this is yet another reason that spam filtering for IP6 is thrown back into the dark ages (among others I've mentioned--that have NOT been fully answered). For example, if a spammer who has acquired a /48 is sending from literally millions, perhaps billions, of DIFFERENT IPs on that /48, then (a) the individual PTR records lookups would be prohibitively expensive (no scaling) and DNS caches of those would fill up RAM and hard drives, and (b) those actual PTR lookups could map back 1-to-1 to the spammers distribution list and give the spammer valuable intel about spamtraps, helping them "listwash", etc. (they would merely need to figure out the sources of the anti-spam blacklist's PTR lookups... this isn't an issue in the IPv4 world because they can't map that lookup to an individual e-mail address) Losing that tool (PTR and FCrDNS) for tracking/identifying senders... is a HUGE loss for spam filters and for anti-spam blacklists.. not just in the ability to identify spammers, but also in their ability to minimize false positives due to being able to more accurately identifying legit senders. (especially legit sender's newly acquired IP ranges that they deploy for mail sending) And on a simpler level, if there are multiple DIFFERENT PTR records for different IPs on that same /48 or /56 or /64 (different as in, ending with a different domain)... which one should be used for identifying the validity of the whole block? Sure, IP whois info is another helpful source... but I find LOTS of situations the IP4 world where IP whois doesn't drill down very far, and MASSIVE numbers of very diverse and separate networks are under one massive umbrella, where treating them all the same would cause massive FPs or massive FNs. is IPv6 any (or much!) better? Or can that too-large-umbrella happen with IPv6, too?
Also, good luck trying to shove the IPv6 genie back into the bottle. I doubt you're going to have much success. I know my large organization has seen the percentage of email traffic on our edge MTAs using IPv6 steadily grow since we dual-stacked them back in 2012. It's been a while since I checked with the organization responsible for them, but I believe it's somewhere north of 10% of all email traffic now.
You sound like you think I'm looking for a problem. But I'm actually looking for solutions, and I think you're underestimating the problems. I wonder if you read my posts. I'm all in favor of rapid adoption of IPv6 for SMTP-Authenticated traffic from the client to server. And I'm in favor of all non-mail rapid adoption of IPv6. The ONLY area where I think IPv6 shouldn't be too fast is MTA-to-MTA communication, and where we shouldn't eliminate IPv4 too fast for this reason alone. when you say, "north of 10%"... I wonder, what is that percentage if you don't include client-to-server SMTP-Authenticated traffic? Also, since such a low percentage of mail servers currently accept IPv6 traffic, all my worst fears about spam filtering in the IPv6 world are not going to be on display since the vast majority of spammers don't send via IPv6. This a ticking time bomb if IPv6 mail server traffic is pushed too fast. Just because it works now doesn't mean it will be workable later. I DO have some solutions in mind, but at this point in the discussion... it seems like a waste of time to even mention them when so many don't take these problems seriously. I think many are underestimating how much scarcity of IPs is helping ESPs and hosters try hard to keep their IPs clean. I'm on the front lines in fighting the most sneakiest spam and in dealing with grayhat ESPs who try to not send spam, but don't try that hard and WOULD be more worried about making more sales that month--EXCEPT that but don't want to see their *scarce* IPv4 IPs soiled. When others who are not on the front lines blow these concerns off, I'm reminded of the phrase, "let them eat cake". -- Rob McEwen +1 478-475-9032