Given that Stack Exchange sites ban on IP, I wonder if there's a common opinion or strategy about making rules based on a user's IP in order to dictate behaviors.
With IPv4, you've got a few things you can fairly reliably assume about a given IP:
- IPs that share a subnet could very well be the same user
- while IPs can be reused for various actual endpoints, it's relatively unlikely that you'll see duplicate connections from an IP that are not the same user, or at the very least the same household/organization (basically, a shared connection)
- it's not trivially easy for a user to obtain a new public IP (there is a medium-sized barrier to entry here)
With IPv6, can you assume all of this? I would imagine at the very least the second point would not be true anymore since NAT'ing is supposed to essentially go away with IPv6 because there will be enough IPs for anyone who wants one.
If you have an IP-based set of policies in place, what considerations need to be made for IPv6 if any because of the differences in the two?
Best Answer
With IPv6, I don't think there is a perfect solution. But there are a number of things to consider:
/64
subnets to individual customers. (There will be enough to go around.)/64
per office./64
and/126
. (See why they aren't using /127 in general) This would probably be either a short-sighted ISP, or one who wants to charge more for a full/64
. There is really no reason that each endpoint (which could be a full customer network) should not be a/64
./64
, one could look at bit 6 in the interface identifier (see section 3.2.1 of RFC 4941) to check if it was likely generated based on a globally unique identifier (MAC address). This isn't foolproof, obviously. But if this bit is set, likely indicates that the address was generated from a MAC address. So one could block IPv6 addresses based on the last 64 bits, and users could be blocked no matter which subnet they come from. (Maybe best to use this as a "hint" since MAC addresses, while supposed to be globally unique, in practice aren't always. Plus they are easily spoofed. But anyone savvy enough to go to the trouble would probably find it easier to grab a/64
and get 2^64 unique addresses anyway.)/64
at this point, but be wary since you might be blocking someone's entire corporate office.I would say that the best way would be to look first at individual addresses, then factor in the last 64 bits of the address, and patterns of abuse from particular
/64
subnets in order to implement a blocking strategy. To summarize:/128
IP addresses (like you probably do today with IPv4)/64
, block the entire/64
with a good error message so the offending network's administrator can do whatever work needs to be done on his/her end.Good luck.