On 6. Aug 2024, at 20:19, Daniel Suchy via ncc-services-wg <ncc-services-wg@ripe.net> wrote:
[...] It's simply a DoS condition. And it can be abused on such places, where many people meet. In most cases, every connected station will not have its own dedicated /64 subnet. They will share single subnet.
If you block on IPv4 single host and on IPv6 whole network (LAN) represented by /64, it's only kind of security through obscurity. And no one sane will actually do this if he takes security seriously.
In probably the majority of cases these days, end user devices or even whole companies that use IPv4 are behind NAT. So by blocking a single IPv4 address you will in reality block a lot more than just a single user.
For example - it's easy to run VPS somewhere for a few bucks... using an API calls, perform few queries... detroy it and so on and on. This is a technique that a real attacker will use in practice. Because of course even real attacker knows that some AUP limits exist and will be really motivated to hide his activity.
While case rapid address changes within single /64 on IPv6 are hypothetical and speculative. Because it will be quickly visible. Does anyone really think that the attacker wants to be caught quickly?
Even a cheap VPS typically gets a whole /64 per host (at least in my experience). So, the possibility to rotate through IPv6 addresses is actually cheap, easy, and far from hypothetical. From that POV it makes perfect sense to me to block whole /64s and _not_ bother with individual /128s. Cheers -Andi