Re: Implications of v6 on application level rate limiting...

[SM <sm@resistor.net>]

Hi Alex,
At 06:30 05-02-10, Alexander Mayrhofer wrote:
> I'm working for the ".at" ccTLD registry, and we're currently
> investigating the implications of adding v6 transport to our WHOIS
> servers. For data protection & load management reasons, those WHOIS
> servers are currently configured to apply rate limiting on the
> application level on a per-IPv4-address basis, for example "5 queries
> per hour, 100 queries per day" (etc). This works quite well on IPv4,
> since acquiring a new IPv4 address is not trivial in most scenarios.
>
> With the introduction of IPv6, the "per IP" strategy obvioulsy doesn't
> work anymore like this, because any host with a /64 can essentially
> generate a new IP address for each request.
>
> A simple approach would be to aggregate requests by prefix (/64 or /56
> or even /48?), and use that prefix instead of the full IP adress. This
> problem is not specific to our WHOIS use case, but will show up in SMTP
> rate limiting, ssh blacklisting applications, SIP registration servers,
> etc..

There is a DNSBL listing the /64 if there are reports for five hosts 
within that /64.   SMTP rate limiting is different from WHOIS as it 
is MTA to MTA communication.  WHOIS, as several other application 
protocols that you mentioned, is user agent to server 
communication.  If your limit is 100 queries per day per /64, that 
limit would be reached if the queries are spread over several clients 
in that /64.  In practice, it may be viewed as acceptable to rate 
limit per /64.

Regards,
-sm