How IPv6 Affects IP-Based Rules (Bans/Filters)

ipv6

Given that Stack Exchange sites ban on IP, I wonder if there's a common opinion or strategy about making rules based on a user's IP in order to dictate behaviors.

With IPv4, you've got a few things you can fairly reliably assume about a given IP:

  1. IPs that share a subnet could very well be the same user
  2. while IPs can be reused for various actual endpoints, it's relatively unlikely that you'll see duplicate connections from an IP that are not the same user, or at the very least the same household/organization (basically, a shared connection)
  3. it's not trivially easy for a user to obtain a new public IP (there is a medium-sized barrier to entry here)

With IPv6, can you assume all of this? I would imagine at the very least the second point would not be true anymore since NAT'ing is supposed to essentially go away with IPv6 because there will be enough IPs for anyone who wants one.

If you have an IP-based set of policies in place, what considerations need to be made for IPv6 if any because of the differences in the two?

Best Answer

With IPv6, I don't think there is a perfect solution. But there are a number of things to consider:

  • ISPs will likely give out /64 subnets to individual customers. (There will be enough to go around.)
  • Workplaces will likely have at least one /64 per office.
  • ISPs offering strictly point-to-point links may choose use to use prefixes between /64 and /126. (See why they aren't using /127 in general) This would probably be either a short-sighted ISP, or one who wants to charge more for a full /64. There is really no reason that each endpoint (which could be a full customer network) should not be a /64.
  • Assuming most IPv6 end-user subnets will be on a /64, one could look at bit 6 in the interface identifier (see section 3.2.1 of RFC 4941) to check if it was likely generated based on a globally unique identifier (MAC address). This isn't foolproof, obviously. But if this bit is set, likely indicates that the address was generated from a MAC address. So one could block IPv6 addresses based on the last 64 bits, and users could be blocked no matter which subnet they come from. (Maybe best to use this as a "hint" since MAC addresses, while supposed to be globally unique, in practice aren't always. Plus they are easily spoofed. But anyone savvy enough to go to the trouble would probably find it easier to grab a /64 and get 2^64 unique addresses anyway.)
  • If privacy addresses are in use... not much to do except block that one address for a short time. It'll likely change soon anyway. Factor in the network part of the /64 at this point, but be wary since you might be blocking someone's entire corporate office.

I would say that the best way would be to look first at individual addresses, then factor in the last 64 bits of the address, and patterns of abuse from particular /64 subnets in order to implement a blocking strategy. To summarize:

  • Start by blocking individual /128 IP addresses (like you probably do today with IPv4)
  • If you notice a pattern of abuse from a non-privacy address in the last 64 bits of an address, use that as a strong indicator in your blocking algorithm. Someone could be hopping between ISPs or subnets. (again, be careful with this since MACs are not necessarily unique - someone could be spoofing to exploit your algorithm) Also, this would only work against abusers who don't know how IPv6 works. ;-)
  • If you notice a pattern of abuse from a particular /64, block the entire /64 with a good error message so the offending network's administrator can do whatever work needs to be done on his/her end.

Good luck.

Related Topic