Mailing List Archive: Wikipedia: Wikitech

IPv6 blocking

Index | Next | Previous | View Threaded

george.herbert at gmail

Jul 17, 2007, 4:36 PM

Post #1 of 7 (1434 views)
Permalink

IPv6 blocking

Proposed for discussion:

We need to start thinking about IPv6 and blocking. Also, IPv6 and IP
users in general, but specifically blocking.

We will probably want to be able to extend block syntax to be able to
block any combination of Routing Goop (top 64), RG + subnet (64 + 16),
or MAC address (lower 48).

Being able to block on IPv6 MAC address allows us to conveniently
block a persistent vandals specific computer, even if they move it or
change ISPs. Unless they're bright enough to mangle the MAC
address...

--
-george william herbert
george.herbert [at] gmail

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
http://lists.wikimedia.org/mailman/listinfo/wikitech-l

Simetrical+wikilist at gmail

Jul 17, 2007, 5:20 PM

Post #2 of 7 (1333 views)
Permalink

Re: IPv6 blocking [In reply to]

On 7/17/07, George Herbert <george.herbert [at] gmail> wrote:
> Being able to block on IPv6 MAC address allows us to conveniently
> block a persistent vandals specific computer, even if they move it or
> change ISPs. Unless they're bright enough to mangle the MAC
> address...

You can be sure that ISPs like AOL aren't suddenly going to change
their mind about this whole privacy business and start exposing to the
public Internet IP addresses that can be pinned down to a single
customer.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
http://lists.wikimedia.org/mailman/listinfo/wikitech-l

george.herbert at gmail

Jul 17, 2007, 5:29 PM

Post #3 of 7 (1320 views)
Permalink

Re: IPv6 blocking [In reply to]

On 7/17/07, Simetrical <Simetrical+wikilist [at] gmail> wrote:
> On 7/17/07, George Herbert <george.herbert [at] gmail> wrote:
> > Being able to block on IPv6 MAC address allows us to conveniently
> > block a persistent vandals specific computer, even if they move it or
> > change ISPs. Unless they're bright enough to mangle the MAC
> > address...
>
> You can be sure that ISPs like AOL aren't suddenly going to change
> their mind about this whole privacy business and start exposing to the
> public Internet IP addresses that can be pinned down to a single
> customer.

AOL is pretty much the tiny minority there; most ISPs baldly present
the outside world either a DHCPed or static IP for the customer.

IPv6 will likely be similar; anyone not doing NAT or proxys right now
probably won't start doing it later. And, unlike IPv4, the IPv6
addresses (if not NATed) will show us the MAC on the system
involved...

This doesn't help ID the person (MAC tells you manufacturer, and
sometimes model, but that's all). But it does help for blocking...

We'll have to maintain our existing mechanisms for AOL and other
special cases, and anyone still using IPv4.

But it would behoove us to look to the future a bit and plan for
taking advantage of it, if possible 8-)

--
-george william herbert
george.herbert [at] gmail

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
http://lists.wikimedia.org/mailman/listinfo/wikitech-l

thomas.dalton at gmail

Jul 18, 2007, 3:22 AM

Post #4 of 7 (1309 views)
Permalink

Re: IPv6 blocking [In reply to]

> This doesn't help ID the person (MAC tells you manufacturer, and
> sometimes model, but that's all). But it does help for blocking...

It helps to confirm that two people are the same. While a checkuser
that shows that two accounts are being used by people with the same
ISP would at best be a "likely", a checkuser that shows two accounts
are being accessed via the same network card would be a definite match
(assuming the rest of the address rules out a public computer).

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
http://lists.wikimedia.org/mailman/listinfo/wikitech-l

usenet at tonal

Jul 18, 2007, 3:34 AM

Post #5 of 7 (1311 views)
Permalink

Re: IPv6 blocking [In reply to]

Thomas Dalton wrote:
>> This doesn't help ID the person (MAC tells you manufacturer, and
>> sometimes model, but that's all). But it does help for blocking...
>>
>
> It helps to confirm that two people are the same. While a checkuser
> that shows that two accounts are being used by people with the same
> ISP would at best be a "likely", a checkuser that shows two accounts
> are being accessed via the same network card would be a definite match
> (assuming the rest of the address rules out a public computer).
>

However, see RFC 3041, "Privacy Extensions for Stateless Address
Autoconfiguration in IPv6". If this is widely adopted, it will render
MAC address blocking pointless.

-- Neil

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
http://lists.wikimedia.org/mailman/listinfo/wikitech-l

Platonides at gmail

Jul 18, 2007, 4:33 AM

Post #6 of 7 (1312 views)
Permalink

Re: IPv6 blocking [In reply to]

Thomas Dalton wrote:
>> This doesn't help ID the person (MAC tells you manufacturer, and
>> sometimes model, but that's all). But it does help for blocking...
>
> It helps to confirm that two people are the same. While a checkuser
> that shows that two accounts are being used by people with the same
> ISP would at best be a "likely", a checkuser that shows two accounts
> are being accessed via the same network card would be a definite match
> (assuming the rest of the address rules out a public computer).

On today's OS it's easy to change the PC's MAC. No doubt vandals will
learn it fast.
Even worse, if we treat as one-MAC one-user, and block by it, a vandal
can vandalise with the mac of a legitimate user (one unlogged edition is
enough to disclose it), which will found themselves blocked and appear
as they were the vandal.

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
http://lists.wikimedia.org/mailman/listinfo/wikitech-l

usenet at tonal

Jul 18, 2007, 5:06 AM

Post #7 of 7 (1312 views)
Permalink

Re: IPv6 blocking [In reply to]

Platonides wrote:
> Thomas Dalton wrote:
>
>>> This doesn't help ID the person (MAC tells you manufacturer, and
>>> sometimes model, but that's all). But it does help for blocking...
>>>
>> It helps to confirm that two people are the same. While a checkuser
>> that shows that two accounts are being used by people with the same
>> ISP would at best be a "likely", a checkuser that shows two accounts
>> are being accessed via the same network card would be a definite match
>> (assuming the rest of the address rules out a public computer).
>>
>
> On today's OS it's easy to change the PC's MAC. No doubt vandals will
> learn it fast.
> Even worse, if we treat as one-MAC one-user, and block by it, a vandal
> can vandalise with the mac of a legitimate user (one unlogged edition is
> enough to disclose it), which will found themselves blocked and appear
> as they were the vandal.
>
>

I'm not sure there's anything in the IPv6 specs to mandate the use of
MAC addresses for assigning host parts: it's just one easy way to do it
in a stateless way, but since it would expose the make and exact serial
number of your network adapter (which is most likely built into your
motherboard, these days), it's also a giant privacy hole.

I think ISPs are much more likely to allocate the host part of IPv6
addresses either dynamically (and to keep logs), or to allocate a single
static IPv6 address per account.

Presumably, for a customer who wants to expose multiple IPv6 addresses,
they would do something like allocate a /64 to each user, and let them
pick their own host parts, perhaps using DHCPv6, which would then
necessarily have anything to do with the actual MAC address of the
hosts' own network adapters.

-- Neil

_______________________________________________
Wikitech-l mailing list
Wikitech-l [at] lists
http://lists.wikimedia.org/mailman/listinfo/wikitech-l

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads