On Thu, 2005-04-07 at 00:21 +0200, Jørgen Hovland wrote:
A more specific problem with this allocation policy: You would expect that if a /64 is the standard allocation size of a lan, then we can all start filtering on /64s instead of /128s if we want to do per-ipv6 filtering, right?
I don't understand what you're getting at...
I see I was a bit unclear. Limitation of 1 ftp connection per user, 1 registration per user on our website and so on.. Simple techniques to reduce abuse++ often take advantage of the one machine to one IP address ratio with IPv4 today. With IPv6 you get one address, or you get a billion. You can't tell anymore cause you can grab thousand extra ips on the /64 lan and use it for whatever you like. We are sure going to miss this feature.
Nope, even better. You *know* that the endsite falls inside the same /48, which you can lookup in whois, who owns it, then check if it is a house (avg 8 people) or a big company with indeed 10k orso users. With RFC3041 being standard, the same /64 can produce a *lot* of different IP's to your webserver or whatever connector, thus indeed for stats you might want to aggregate those. Of course you can see that an IP is based on RFC3041 by checking the relevant bits, but people could of course also make their bots do it for you. For limiting automatic requests to your website use Captcha's*. Robots can do a lot, but they can't read (yet). Thus for FTP and other services, limit per /48. You then limit per site btw and not per user, which is actually better than what you actually wanted. What if I would have a /24 and let '256 users' in. Remember also that I could have my fridge use an IP, walk there and let it order from your site etc... they are different devices with the same user, /me ;) Simply saying 'that user is the same IP' does not work, but has it ever? (NAT anyone :) Greets, Jeroen * = http://en.wikipedia.org/wiki/Captcha