[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Implications of v6 on application level rate limiting...
Marco Hogewoning wrote:
On 5 feb 2010, at 16:57, Jeroen Massar wrote:
Alexander Mayrhofer wrote:
A simple approach would be to aggregate requests by prefix (/64 or /56
or even /48?), and use that prefix instead of the full IP adress. This
problem is not specific to our WHOIS use case, but will show up in SMTP
rate limiting, ssh blacklisting applications, SIP registration servers,
Indeed, that is the most simple and obvious approach: per 'level' eg
chunked something in order of /64, /48, /40, /36, /32 if X
hosts/upper-levels in that level do something bad you aggregate to the
X could vary per level of course.
And please please please make this aggregation policy case based or never aggregated above /64. There are a lot of ISP's out there who have different productsm with very different address plans which are all in the same /32 and can be quite close together, with a default policy of /56 for broadband residential, /48 for business and /64 for mobile.
So what seem to be a good and decent aggregation for DSL can all of a sudden create huge problems as you unintentionally block or ratelimit 65.000 mobile users from that same ISP.
I fear the same question will arise for people running spam black lists.
The space is so large that the allocation policies can vary massively
from one /32 to the next. At one extreme an LIR with a /32 need not even
be a provider and may allocate blocks to separate providers so
aggregating at the /32 would be silly as the LIR has no control over
then end users at all. In other cases millions of separate users may
have a single device IP allocated on a /127 PPP link.
If it is any help, as an ISP that has been doing IPv6 on DSL for 7
years, we allocate a /48 to each distinct customer regardless of how
many lines they have. We give them control over what blocks (down to
/64) are allocated to each line or lines as they need.
Of course you could whois the requester IPv6 address to see the block
size allocated to the requesting end user. But the whois server
providing that information might rate limit you !!!