On Nov 26, 2014, at 10:19 AM, Matthias Leisi <matth...@leisi.net<mailto:matth...@leisi.net>> wrote:
On Wed, Nov 26, 2014 at 6:05 PM, Franck Martin <fmar...@linkedin.com<mailto:fmar...@linkedin.com>> wrote: As for /64, yes there are hosting providers that have all their customers in the same /64 and other cases like this where infrastructure is not separated by /64 boundaries. I think IPv6 blocking list will be more last resort, than first line of defense (but that’s just me). Note rbldnsd works at /64 by default, with /128 exceptions. DNSxLs are still the "cheapest" way to determine reputation because it can happen at connection stage (or as a computationally cheap input to a scoring mechanism such as SpamAssassin) - so I believe there is still value in it, and it is important to get it as efficient as possible. Agreed, it is cheap in resources. However, it will be easier to add to a domain blocking list than to add to an IPv6 blocking list. May be first line of defense is the wrong naming. IPv6 blocking lists will be to remove the extreme badness of the Internet.
