You probably remember, or encountered at least once, my modsecurity ruleset which I use to filter spam comments on this blog, among other things. One of the things that the ruleset does is filtering based on a number of DNSBL which covers among other open proxies and infected nodes — this is great, because most of the comment spam you’ll ever receive passes through open proxies, or through computers that have been infected by malware.
Unfortunately, this has a side effect: public networks such as airports’, Starbucks shops’, and the gogo in-flight wifi that I’m using now, use a very wide NAT, and the sheer number of devices connected mean that there is no way that the IP address wouldn’t be counted as an infected node. This would normally mean that I won’t be able to blog from within the plane, so how am I doing that right now? I simply opened a VPN connection to the office in LA and route all accesses to my server through that. It works, but it really feels wrong.
Well, turns out that there is a very easy way to deal with it: you just need to assign unique IP addresses for each of the devices connected — easy, isn’t it? And since you don’t want them reused you probably want a single per-device address that is unique among all the possible devices.. wait isn’t this what IPv6 is designed to be? Yes it is.
Indeed, I would say that even more so than a private entity, be it a person or a company, public wireless networks are a perfect reason to get more IPv6 service out there, and I’m very surprised that none of these companies seem to have smarten up in providing IPv6, especially in light of the recent switch on for services like Facebook, Google, and so on.
And it’s funny that the companies that make available the in-flight wireless, and provide IPv6, have such a similar name, while being totally unrelated… gogo and gogo6.
On a different note, I have to say that the staff for Delta Airlines in LAX today has been the most friendly, prepared and fast than I have ever experienced. Even in the face of an hour delay on the plane, they’ve communicated clearly, and defused a situation that could have been very tense. Congrats!
> Well, turns out that there is a very easy way to deal with it: you just need to assign unique IP addresses for each of the devices connected — easy, isn’t it? And since you don’t want them reused you probably want a single per-device address that is unique among all the possible devices..End user is assigned /64 or /56 IPv6 network according to the RFC recommendations, so in the IPv6 world whole subnets will be banned and blacklisted instead of single IP and nothing will change 🙂
But in general I expect that most blacklists wouldn’t blacklist the whole subnetwork just because there are infected PCs.