It turns out that IPv6 works OK and dual stack works fine. That /n has absolutely no value whatsoever.
IPv6 advocate Jun Murai today announced he will put more than 14 million IPv4 addresses up for sale, with all the proceeds – expected to top US$300m – going to a trust focused on boosting Asia-Pacific connectivity and online services. Writing on the website of the Japan-based WIDE Project, which Murai founded in 1985 and which …
is there a problem with SMTP over IPv6 that I don't know about?
None whatsoever. My personal mail server supports it just fine. You can even get spam using it :)
22/3/2020 11:38:24.541 - Client:2001:EE0:4141:B State:RcptTo Action:Reject Rule:Reject general crap Size:129413 MAILFROM:firstname.lastname@example.org Recipients:(be3b1ce3b@XXXXXXX)
Yes, hmmm, RBLs might not work very well for IPv6 addresses
Assumptions don't work well for IT either ;)
It's rejecting based on the recipient. 'be3b1ce3b' isn't even close to the required format so the message is rejected immediately. My mail server has very strict recipient rules because I use a DEA system. That recipient name isn't even close to acceptable.
The only blacklisting my server does is on security violations. There are no IPv6 addresses in the list at the moment but I don't know if that's because it doesn't store them or because there have been no attacks from IPv6 addresses.
An RBL based on prefixes could work. You do, however, run into the same problem that makes IPv6 Privacy Extensions more anonymous than IPv4, you will need to know the size of a prefix for every IP to make it accurate.
Most ISPs give out a /56 per connection, some more generous ones give out a /48, the most stingy ones only give out a /64. If you take a wild guess and assume that every IP is part of a /56 block you run the risk of either not blocking enough or blocking half the subscriber base of some ISP.
Start at /64 and expand leftwards every time the spammer demonstrates the ability to use adjacent unblocked addresses. You'll find the right size in O(log n) trials, not the O(n) that everybody seems to assume. Bonus points for expanding 4 bits at a time to keep on nibble boundaries, and for remembering the size on a per-ISP basis so you only have to do it once for each ISP.
"If you take a wild guess and assume that every IP is part of a /56 block you run the risk of either not blocking enough or blocking half the subscriber base of some ISP."
An ISP stingy enough to be assigning /64s is unlikely to have someone running a _personal_ mailserver on their ranges. That's on par with the /56 being a dialup range (and the /64 is probably part of a /56 being resold in any case). As such I'd be perfectly happy to block first and punch holes in it later - I'm betting that exceptions would be few and far between.
What I would ALSO do - based on observation - is link it into fail2ban and block anything knocking on other ports around the same time as well as using the fail2ban cloud
You've clearly never tried to run an SMTP service on IPv6 and assume all end users have some IPv6 capability.
What, there are people not using gmail? <<snicker>>
Seriously though ... my mail server is dual-stack and I find that the majority of email that arrives via IPv6 is coming from the big providers (gmail, yahoo, microsoft etc). Pretty much anyone who doesn't host their mail "in the cloud" is still on IPv4-only. I suppose that's a blessing for now, because the majority of the spammers are still using IPv4 as well.
The way you migrate the world from IPv4 to IPv6 is to start moving *consumers* away from IPv4. My T-Mobile service, for example, gives me native IPv6 and NAT IPv4 over a 4-6-4 CGN tunnel. Once the masses are all on IPv6, service providers will want to start providing that native IPv6 support.
(As a side note ... you'd be surprised how many people believe that it's illegal to run your own mail server, because they know that Hillary Clinton got in trouble for it; they don't understand that the email server itself isn't what got her in trouble.)
>It turns out that IPv6 works OK and dual stack works fine.
I think Jun Murai, an "IPv6 advocate" would agree with you.
>That /n has absolutely no value whatsoever.
Clearly Jun Murai disagrees with you here. Perhaps because he wants money to fund a pet project: "boosting Asia-Pacific connectivity and online services".
> Clearly Jun Murai disagrees with you here.
It has no value to Jun Murai - however as an IPv6 advocate it leaves him vulnerable to accusations of hoarding IPv4 space to push people onto IPv6, so getting rid of it kills two birds with one stone AND gets him some pocket money for his pet hobbyhorse.
At some point the companies which have splashed out billions of dollars for IPv4 space are going to find that space is valueless - and then have to explain this to the shareholders.
It's arguable this is acting as a handbrake on moving to IPv6 ("Why should we do that when we paid SO MUCH for this IPv4 space?"), along with the "We have plenty of IPv4 space, why do you want IPv6?" one I keep running into - particularly from Certain UK ISPs who shall not be named but we all know who they are....
I don't think that improving (IPv6) connectivity in the Asia-Pacific region is a hobby-horse. It's more like, say, being able to sell most of the (US) 847 area code numbers and use the proceeds to improve 5G coverage in rural Illinois.
Anyway, I've known Jun for 20+ years and whatever he does always works out brilliantly well. My only comment is Kampai!
APNIC could threaten to recall all of the IPv4 addresses owned by the Chinese government. Everything in those APNIC records has been fake or null-routed since about 20 years ago when China decided that spamming and hacking other countries is a pretty good use of the Internet. You can't have the rest of the world submitting billions of abuse complaints to a legit POC.
I'm not sure how APNIC would contact the Chinese government's networks about this, being that their contacts are fake. Maybe start re-assigning blocks then see who calls. The other registries could do the same with their networks. AFRINIC is pretty bad and ARIN has numerous records flagged as having an unknown owner.
"AFRINIC is pretty bad and ARIN has numerous records flagged as having an unknown owner."
The _entire_ address space involved in the accusations you've just made would satisfy about 10 minutes of backlogged requests.
The real gold mines are in the /8s and larger allocated by Jon Postel prior to ARIN coming into existence - because Jon died before any of this became an issue or handed administratio over to ARIN, they've always been regarded as untouchable.
Several of those are not in the hands of the organisations that they were originally given to, having been "walked off with" by employees as the original companies folded, etc. (In one case an outside consultant only peripherally related to the original org took the address space and claimed it as his own - and when it was finally noticed it took the best part of 20 years to get it returned to the pool due to his combative stance. The sex.com saga has nothing on the deviousness and posessiveness of people when it comes to "low numbered" IP address ranges)
The printer repair men and single person IT departments of el reg will be out in force to tell us "ha! I told you IPv4 will never run out", "I ain't learning no stinking new IP syntax.. DNS? what's DNS? Does it work better than IP addresses written in biro on the back of my hand?" and "Why configure stuff properly when NAT breaks everything well enough that it gives the illusion of security".
Oo er get this one. Bet 'e even has a 48 port switch at 'ome. Probably thinks because 'es the only one with the excel sheet of passwords and cisco'd up to the eye balls that them haxors aren't already in 'es corporate network.
 - only 3 things plugged in
 - 4 windows PCs and a NAS he built from parts off Amazon because he's so very smart or a network with so many VLANs and superduper level 7 filtering proxies that all of the devs have already tunnelled out to machines in AWS or wherever and are laughing behind his back as they work totally oblivious to all of the *security* he boasts about while crying about how IPv6 is hard.
IPv6 isn't hard. It's just a pain in the ass to remember the IPs for your machines.
My brain is hardwired for IPv4 at this stage, I just naturally think of AD as .250 and ESX-01 as .10 , gateway as .254 etc...it just won't rewire to IPv6...which brings my piss to a boil because I otherwise quite like IPv6.
Yeah, yeah I know DNS etc etc. But a proper engineer knows the IPs of his kit. That way if DNS is down you can still crack on as usual and get it fixed quicker.
>The guys who learned from Cisco seem to put the gateway at .1.
Given the origins of Cisco, I suspect they just picked up a pre-existing convention, which was probably set by Jon Postel et al: ".1" is only two characters to be keyed, ".254" is four - important in the time before DNS and RIP...
"only two characters to be keyed"
This is correct, ask anyone who ever hand-keyed in static routing tables. Microsoft either cluelessly got it wrong, or couldn't handle the concept of using established standards, as usual.
It wasn't Jon's doing, per se. It was just something that happened pretty much everywhere simultaneously as the logical way to do it. We were using it with TCP/IP before TCP/IP went "live" Internet wide at the beginning of 1983 ...
Yes, Cisco probably got it from their roots at Stanford, but I remember Stanford using .11 early on (22.214.171.124 and 126.96.36.199 are forever etched into my memory). My lizard hind-brain is suggesting that .1 as a standard may have originated at BBN, but I wouldn't put money on it (188.8.131.52 had something important hung off it, that was definitely BBN, but other than that I can't remember).
Corrections/additions welcome ... Have a beer while you cogitate :-)
Actually, it's usually not a choice I get to make. Most of the networks I look after were originally built by someone else a long time ago and certains IPs have been hard coded into devices that aren't in my scope...burglar alarms, door access systems...whatever has some sort of additional support contract on it that prevents me from knowing the passwords.
That and I work in a couple of consumer tech testing labs so they keep their test networks as consumer oriented as possible to not interfere with the testing.
I know what you mean though. I've had calls from actual techies trying to get MSDN examples working and they leave in the "contoso" FQDNs after straight up copy/pasting.
I actually learnt from neither Cisco or Microsoft when I learnt how to build networks. I was 10 years old, it was 1994/5 and I was cobbling my home LAN together with knackered old hubs (can't remember the brand, though Proxim and/or 3com rings bells, they were beige) and old cables I salvaged from a bin on an industrial estate somewhere near Heathrow.
I didn't touch Cisco kit until around 1990.
"Murai received his address blocks in the early internet days before the rules were put in place"
Meaning he emailed Jon Postel and said something along the lines of "I'm using this Class A, will you please add it to your list?" ... to which Jon replied something along the lines of "Noted. Added. Need any more?".
The world was a very different place back then ...
"Far back in the mists of ancient time, in the great and glorious days of the former Galactic Empire, life was wild, rich and largely tax free" .....
"In those days spirits were brave, the stakes were high, men were real men, women were real women and small furry creatures from Alpha Centauri were real small furry creatures from Alpha Centauri."
"……. and making routing work as easily as possible"
The original iteration of IPv4 used the first octet AS the route to the site and the second as the departmental route inside the site
Remember it was a hackly kludge only intended to last 5-6 years, which is why 32 bits was regarded as sufficient for the amount of time it would be in use. Vint Cerf wanted to use 128 bits at the outset and was browbeaten into 32 for that reason. If he'd stood his ground we wouldn't have this mess now.
(My reminder about "temporary kludges" is the temporary hut for comms equipment that was part of my beat as a tech that was erected in 1946. It was finally demolished and replaced with a permanent building in 1988. The standing joke was that when the ancient equipment racks and their frames were unbolted from the walls, those walls fell off the building and what was left simply collapsed (building being an exaggeration, it was fractionally larger than a garden shed)
"Remember it was a hackly kludge"
"only intended to last 5-6 years"
Absolutely not! It was intended to last until something better came along ... but nobody was working on something better, so we built it to last indefinitely. Seems the plan worked.
"Vint Cerf wanted to use 128 bits at the outset and was browbeaten into 32 for that reason."
We used 32 bits because that's what the DEC hardware that we had available could switch efficiently. The Cerf story sounds good, but it's just a story and never happened.
 Plans? We don' need no steenkeen' plans!
This kind of Internet 'noble blocks' have no reason to exist. They got them when it was a kind of experiment, now the experiment has been over for a long time. Making them non routable will drop their usefulness and value to 0.
Who would benefit from that? And I don't mean in a money sense. Literally, what good would it make to make these non-routable? It feels to me like you just discovered somebody has been hoarding a collection of rare stamps, so you decide to... burn it all.
Those who need IPs that are owned by people who have no uses for them and just hoarded them when the internet was just an experiment, moreover often built with taxpayers money, and while being often paid with taxpayers money? The initial allocation of IPv4 wasn't fair at all. Not even clever.
Making them non routable until their owner abide to the same actual rules to which everybody else have to abide too would be fair. Why they should be exempt?
In the centuries many hoarded resources until they had to release them because it wasn't legal any longer. This is a kind of internet "latifundium" - quite idiotic, especially from people who usually think about themselves as "liberals" - but "hey, don't touch my big /8, serf!"
No, just because those "grandfathering" clauses are plainly silly - another example of how Internet has been mismanaged since the beginning. ICANN & C. are just the obvious offspring of that mentality - rules are just valid for some people but not for others, "just because we can".
It would be like Mayflower descendant asserting they are not bound to US laws because they came to America before US existed.
Hope IPv6 starts to be deployed broadly soon, so all those IPs become useless.
"Might get a call from the US military/defense establishment - they seem to be sitting on rather a lot of /8 address ranges..."
They're not using most of them (or weren't in the 1990s) and were considering handing them back at one point (one question that got asked was "To whom though?". I suspect they'd prefer to sit on them now as a way of pushing the world to IPv6
Google, Microsoft and Amazon are infrastructure providers. In most cases, each individual VM fired up needs an IPv4 address. Cloud usage is going up, not down.
However, more importantly, Google is an advertising company, and its money depends on eyeballs on the adverts. They can't afford to cut off IPv4-only users, which are still the vast majority.
Think about what happened with IE5. For a long time, websites had to have a completely different version to support IE5, which was really painful and expensive. They continued to do so, until the number of people on IE5 fell to about 1% - at that point they felt safe to drop IE5 support.
The same will happen here. When 99%+ of the end-users on the Internet are dual-stack or v6+NAT64, content providers will feel it's OK to drop v4. Not before.
Not entirely. You obviously know of NAT64 but fail to realize it works both ways. You can easily just have the "instance" use IPv6 and then assign IPv4 "elastic" IPs as needed using their load balancing applications. Pretty easy.
No reason to burn an IPv4 IP for your backend instances.
"The same will happen here. When 99%+ of the end-users on the Internet are dual-stack or v6+NAT64, content providers will feel it's OK to drop v4. Not before."
Up to that point, the end users will slowly see their horizons starting to diminish, just like IE5 users did.
Just because it will take time to happen isn't a reason to not start the journey and encourage the transition as quickly as possible - especially when you bear in mind that there are parts of the world where entire countries have tens of millions of people behind a single /24 (Vietnam) or up to 6 layers of NAT (Myanmar)
Uptake of IPv6 is now at the point where it's mostly only the dinosaurs who haven't transitioned. and they won't unless their feet are held to the fire.
I hope that these addresses are not available to those who can't be bothered doing IPv6.
No organisation should be eligible for more IPv4 space unless they're actively using IPv6 - with the possible exception of those of us small operators who are stuck behind lagging upstreams. But then, such organisations generally don't apply for space from APNIC anyway.
It should be something absolutely like this, and whoever's too lazy to learn something new (well... more like 20+ years old...) can find another job. My company (transit folks...) already has a peering policy that it will accept only dual stack on new agreements.
The IPv4 addresses in question are the vast majority of 43/8, aka 43.*.*.*. Some are already allocated; the WIDE Project owns the other 87.5 per cent, which it will transfer to the aforementioned trust, which is joint owned by WIDE and Asia-Pacific internet overseer APNIC.
So "the vast majority" is 12.5%?
Biting the hand that feeds IT © 1998–2020