[rbldnsd] ip6tset and the RFC5782 test IPv6 don't like each other

[Alex Lasoriti]

On Wed, Oct 09, 2013 at 05:52:49PM -0700, Jeff Dairiki wrote:
> On Thu, Oct 10, 2013 at 12:21:45AM +0200, Alex Lasoriti wrote:
> 
> Out of curiousity, how many /64 prefixes do you have?  

Well, the data generation guys at the Project are still working on the 
engines and I do not have real data yet.  I am preparing things at the
user delivery end.  But IPv4 XBL is on the multimillion scale (around
6M now), so I guess one should be reasoning on that scale.

The automated CSS (snowshoe) component of SBL may explode even more, as
snowshoe spammers getting /40's or so may suddenly start emitting from 
the whole space, and you have 16M /64's in a /40, so there is a
potential for spikes in size until these areas are consolidated in 
larger SBL listings.

> Have you compared
> resource usage between ip6tset and ip6trie?  Yes, ip6trie does use
> 2-3 times the memory of ip6tset, but unless you have really large datasets,
> or run on very old or memory-constrained hardware, I suspect the difference
> is not really a back-breaker.

No, this comparison has not been made yet.  Insufficient h/w is normally
not a problem, unless the resources needed become really humongous.

> [...]
> 5) I haven't tested this, and it's pretty hackish (apologies for both)
>    but ip6tset supports /128 exclusions.  So you could list 0:: (which
>    includes ::FFFF:7F00:2 among many others) and then exclude
>    ::FFFF:7F00:1.  That would give you a whole bunch of test addresses
>    — perhaps too many — but it would appear to conform to RFC5782.

That's an interesting workaround, but listing 0:: could have unforeseen
consequences.  A lot of mor^H^H^Hpeople complain that we block their IP 
127.0.0.2, if we were listing 127/8 except localhost there could be
a flow of silly mails and in general disservices of some sort that
we want to avoid, and the same could happen in v6.

Alex