Dear Jason, On Mar 30, 2013, at 7:57 AM, "Livingood, Jason" <jason_living...@cable.comcast.com> wrote:
> On 3/29/13 12:58 PM, "John Levine" <jo...@taugh.com> wrote: > > >>> As a result, it is questionable whether any IPv6 address-based >>> reputation system can be successful (at least those based on voluntary >>> principles.) >> >> It can probably work for whitelisting well behaved senders, give or take >> the DNS cache busting issues of IPv6 per-message lookups. >> >> Since a bad guy can easily hop to a new IP for every message (offering >> interesting new frontiers in listwashing) I agree that it's a losing >> battle for blacklisting, other than blocking large ranges of hostile >> networks. > > Agree. The IP blacklisting that worked well for IPv4 is completely > unsuited for IPv6 (I'd go as far as to say it is a complete failure, no > matter if you look at different size prefixes or not). Agreed. > The only model that I personally can see working at the moment for IPv6 is > a mix of domain-based reputation and whitelisting. I like domain-based > better since it is managed by sending domains on a distributed basis. Current domain based strategies such as SPF offer fragile dependence on return path parameters that may incur a large number of transactions to resolve authorizations. Use of DKIM must also consider the signing domain neither controls actual sources, intended recipients, or message relaying. > Mail acceptance for IPv4 worked inclusively - receivers accept unless IP > reputation or other factors failed. IMHO with IPv6 that model may need to > be turned around to an exclusive one - so receivers will not accept mail > unless certain factors are met (like domain-based authentication or the > IPv6 address is on a whitelist). I'd expect MAAWG will continue to be a > good place for mail ops folks to work through this stuff. While SPF offered a fix for DSN back-scatter, neither this scheme nor DKIM provide a suitable basis for domain reputation. Neither authorization nor signed message content provide any direct evidence of abuse accountability. Permission for this occurs by leaving the future of email primarily in the hands of those having conflicts of interest. For example, none of the current domain based schemes offer a means to hold those paid to send bulk email accountable. Several would even be happy to see IPv6 email require IPv4 providers to relay IPv6 email. Here is the link that illustrates the serious problem. http://www.bungi.com/Dom-v6.pdf And again, I call on the IETF to work on this problem. Regards, Douglas Otis
