With the increasing uptake of the new IPv6 internet protocol, people are starting to notice some of the downsides of the larger amount of IP addresses that will become available. An excellent example are the MTU issues Geoff Huston wrote about earlier this year, and as IPv6 adoption increases more problems are likely to appear. The number of IPv6 addresses in use is growing rapidly:

plot

The current address assignment policies for IPv6 addresses suggest that every internet connection should be assigned at least a “/64” subnet; this includes home computers that currently receive only a single IP address. A /64 subnet contains 18.446.744.073.709.551.616 addresses; and if that isn’t enough, it’s recommended to assign companies a /48 subnet (65536 /64 subnets!), and the same for individual users.

While this is all very nice (it removes the need for NAT, doesn’t require you to get a “business-grade” connection to get multiple IP address, et cetera), it also raises some new issues. I recently talked to a provider of anti-spam services that foresaw some major issues for blacklists. Even if the blacklists list only complete /64 subnets instead of single hosts, a typical enduser might be listed 65536 times; it might make sense for malware to try sending from a different subnet if too much delivery attempts are blocked. This makes the storage requirements for the blacklists explode, making operating them much more expensive.

In addition to that, the use of blacklists with IPv6 will also put more load on DNS servers; right now a typical lookup looks like this: 23.42.168.192.dnsbl.example.net. For an IPv6 address, the standard is to use the hexadecimal notation for the address; for example: b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.8.b.d.0.1.0.0.2.dnsbl.example.net

This means DNS traffic to the DNSBL servers will increase, and so will the amount of memory needed for storing the responses. Because most machines will be using a public IP address, instead of entire networks being NATed to a single IP, there will be more of these lookups as well, and to make matters even worse most machines will be using privacy extensions. Since IPv6 privacy extensions make every machine change it’s IP address regulary, there will appear to be even more hosts for which DNSBL lookups are needed.

My personal expectation is that a mass migration to IPv6 will mean the end of free DNSBL services; dsbl.org has already thrown in the towel and SORBS is currently having difficulties finding a hosting location. Which, in turn, will leave more mail for everyone to sort through.

mail