What IPv6 means for IP-reputation services

(Now coming to you from the East Coast of the US)

One of the things that struck me during the Cascadia IT Conference was the impact of IPv6 on IP reputation services. I've blogged about this in the past, but IP reputation is a very key spam-fighting technique. DNS RBLs have been around for over a decade now and remain the free option. In the paid anti-spam realm, the big vendors manage IP reputation databases to determine whether or not an incoming connection is worth of their time, and usually provide better granularity than the RBLs do. The same applies to blog comment-spam, as it happens.

The DNS-RBL functions very simply:

  1. A connection is made from the Internet.
  2. The mailer/blog-engine performs a lookup of the IP in the black-hole list.
  3. The RBL returns a value.
  4. The mailer/blog-engine acts on that value.
In an era where Comcast is passing out whole /64's to end-users, which in turn means end users can have more IP addresses than are available on the IPv4 Internet, this one-to-one style of lookup breaks. Obviously, a one-to-one port of the IPv4 RBL code to IPv6 will be not nearly as effective as it is with just IPv4.

The solution is fairly obvious, start blacklisting subnets, but the code-changes are non-trivial. Right now a stock RBL can be made with BIND and a standard Zone file filled with A records. Classful IPv4 subnets can be blacklisted with wildcard DNS entries. The same can be done for IPv6 zone-files, but the granularity is a lot better. Of course, RBL-clients need to be updated to handle RBL-lookups with v6 addresses.

Which is to say, that in the IPv6 future, subnet will matter more than discrete IP Address for many things. This is one of the areas that everything that relies on IP addresses for access decisions will have to start taking into consideration (as well as the people who encode the rules).