[ipv6hackers] (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Fernando Gont
fernando at gont.com.ar
Tue Feb 7 01:07:37 -03 2023
Hi, Andrew!
On 5/2/23 00:38, Andrew Ruthven wrote:
[....]
>>
>> Do you mean, e.g., that the draft should e.g. provide advice such as
>> "do
>> not block a single /128, bur rather consider blocking a /64 at a
>> minimum", and the like? or something else?
>
> I suggest having provisions to escalate from /128 to /64 to /56 to /32
> rather than jump directly to /64.
mmm... but in your list, there's no middle-ground between /128 and /64.
> The reason for this is that there may still be legitimate users in that
> /64. We experienced this painfully at work where the IRC daemon we used
> to use had built in, hardcoded connection ratelimiting. For IPv4 it was
> per IP, for IPv6 it was per /64. Everyone connecting at the start of
> the work day would trip the ratelimiting...
What kind of rate-limiting?
Thanks,
--
Fernando Gont
e-mail: fernando at gont.com.ar
PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01
More information about the Ipv6hackers
mailing list