ThreatSTOP Blog

IPv6 and IP reputation

Written by francisturner | March 8, 2011

The Register has an article today about how IPv6 will make (spam) blocklists fail. The article is correct that current DNSBL techniques - as developed by Paul Vixie & co - will struggle but that doesn't in fact mean that IPv6 kills IP (or DNS) reputation, all it means is that the exact technique used by the current DNSBL solutions is not IPv6 compatible.

There are at least two ways forward. One way - the ThreatSTOP way - has the ability to distribute not just ip addresses but also entire subnets. We do this already on IPv4, where we currently distribute the network blocks from places like DShield and Spamhaus to our subscribers, and as of a few minutes ago, were distributing 1342 subnets equating to 17377 /24 networks with the largest single block being a /15 (95.216.0.0/15 which is AS43659 in Ukraine FWIW).

The only thing that changes with IPv6 is that the addresses of the networks are longer (/64s being the anticipated network for an individual subscriber whereas today most subscriber net blocks are more often /24 or smaller), but current devices that are IPv6 capable (which is pretty much everything modulo buggy code versions) can do these matches now so the problem Stuart Paton talks about in the Register:

"As an example, the address space is so large that it would be easy for spammers to use a single IP address just once to send a single email"

is irrelevant.