Ted Mittelstaedt <t...@ipinc.net> writes: > No, since the number of total host numbers in a /64 is vastly larger > than in a /128, if you hold to single number queries then it will blow > it out far far faster. > > This is why I said SA needs to be modified to treat a single hit in a > /64 as the entire /64 is contaminated, and cease further queries on > numbers in that /64.
A /64 is in some respects like an IPv4 /24 except that it has vastly more hosts. Declaring all occupants of a /64 bad due to one misbehaving host seems no more reasonable than blacklisting an entire IPV4 /24 or larger. There are two separate issues here: ability to list individual hosts when the network running the host is basically reasonable but may have compromised hosts. For this, the semantics of the list should be similar to the IPv4 blacklists, but with a larger address space and not necessarily any more entries. ability to aggregate blacklists of prefixes when a spammer is rotating through addresses to evade blacklisting. Here, the BL operator can detect this and publish a blacklist entry for an entire prefix. So a whole /64 or /48 can be blocked with one DNS-published entry, while retaining the ability to not paint all hosts with the same brush.
pgpnybOtJdIEH.pgp
Description: PGP signature
