How are IP-based rules (eg, bans/filters) affected once IPv6 becomes the standard?

Solution 1:

With IPv6, I don't think there is a perfect solution. But there are a number of things to consider:

  • ISPs will likely give out /64 subnets to individual customers. (There will be enough to go around.)
  • Workplaces will likely have at least one /64 per office.
  • ISPs offering strictly point-to-point links may choose use to use prefixes between /64 and /126. (See why they aren't using /127 in general) This would probably be either a short-sighted ISP, or one who wants to charge more for a full /64. There is really no reason that each endpoint (which could be a full customer network) should not be a /64.
  • Assuming most IPv6 end-user subnets will be on a /64, one could look at bit 6 in the interface identifier (see section 3.2.1 of RFC 4941) to check if it was likely generated based on a globally unique identifier (MAC address). This isn't foolproof, obviously. But if this bit is set, likely indicates that the address was generated from a MAC address. So one could block IPv6 addresses based on the last 64 bits, and users could be blocked no matter which subnet they come from. (Maybe best to use this as a "hint" since MAC addresses, while supposed to be globally unique, in practice aren't always. Plus they are easily spoofed. But anyone savvy enough to go to the trouble would probably find it easier to grab a /64 and get 2^64 unique addresses anyway.)
  • If privacy addresses are in use... not much to do except block that one address for a short time. It'll likely change soon anyway. Factor in the network part of the /64 at this point, but be wary since you might be blocking someone's entire corporate office.

I would say that the best way would be to look first at individual addresses, then factor in the last 64 bits of the address, and patterns of abuse from particular /64 subnets in order to implement a blocking strategy. To summarize:

  • Start by blocking individual /128 IP addresses (like you probably do today with IPv4)
  • If you notice a pattern of abuse from a non-privacy address in the last 64 bits of an address, use that as a strong indicator in your blocking algorithm. Someone could be hopping between ISPs or subnets. (again, be careful with this since MACs are not necessarily unique - someone could be spoofing to exploit your algorithm) Also, this would only work against abusers who don't know how IPv6 works. ;-)
  • If you notice a pattern of abuse from a particular /64, block the entire /64 with a good error message so the offending network's administrator can do whatever work needs to be done on his/her end.

Good luck.

Solution 2:

The assumptions you list:

IPs that share a subnet could very well be the same user

Continues to hold -- in fact if ISPs are allocating IPv6 subnets to their customers it becomes even more true.


While IPs can be reused for various actual endpoints, it's relatively unlikely that you'll see duplicate connections from an IP that are not the same user, or at the very least the same household/organization (basically, a shared connection)

Continues to hold (in fact applies to the entire subnet as described above).


It's not trivially easy for a user to obtain a new public IP (there is a medium-sized barrier to entry here)

Doesn't apply to an individual IP so much, but does apply to a subnet handed out by an ISP.


So basically we're looking at subnet bans where we currently have IP bans, assuming ISPs hand out subnets to all their users. If instead users get individual IPv6 addresses (one per user) then we're looking at single IPv6 bans, which may lead to a much longer ban table (and associated performance issues) if there are a lot of badly-behaved users.
In either case an IP ban becomes a more granular tool (i.e. less risk of blocking a bunch of users from an ISP that has a dynamic pool because one person misbehaved), which in my view is a good thing...


Solution 3:

Wikipedia/MediaWiki are adopting a policy of blocking a whole /64 when they block the fifth IP within that /64.

Five seems to be the standard rule-of-thumb that others are adopting - the couple of DNSBLs I've seen are adopting the same policy.

I've not seen any plans to aggregate blocks up above a /64, even though getting a /48 or a /56 is pretty easy for even a modest organisation. Of course, spammers currently often have a /24 (IPv4) or so, so I expect that they will start grabbing largish chunks of IPv6 space.

Tags:

Ipv6