The Geek Bin

/64. It’s not that hard.

As service providers begin to dish out IPv6 ranges, it’s become apparent that they don’t quite understand how IPv6 should be handed out. Handing out a single or smaller than /64 IPv6 range is unnecessary — especially if you’re a hosting provider.

I’ve been hosting customers for a while, and recently acquired a new customer. They came to me after their original host had all their outbound emails blocked on gmail and needed to be able to deliver them. That hosting company in question recently enabled sending mail via IPv6, and the delivery agent was configured to prefer IPv6 in order to warm-up delivery of the emails from the IPv6 range. If they had done it correctly, it would’ve worked rather nicely, but, instead of assigning a /64 per server in their infrastructure they only assigned a /128 out of the /64 to each server. When one bad apple came in and spammed outbound before the hosting provider caught them, gmail’s spam filter automatically blocked the entire /64, meaning every customers email was being rejected and binned as spam.

So, this hosting company in question had one bad apple that prevented hundreds of customers from delivering their legitimate email because they didn’t assign a /64 per server. It’s not like they didn’t have enough IPv6 ranges, the provider in question had an entire /44 allocated and could’ve very easily split up the /64 chunks.

Many email spam filters are configured to block entire /64 regions when spam comes in, and not only emails, but providers as well of other services (say, CDN, SaaS, PaaS, etc) will block entire /64 regions where abuse originates from. There’s many articles on why you should assign a /64 per customer.

If you’re not assigning a /64 per server, or better, per-customer, you’re doing it wrong. A website dedicated to /64 assignment exists, and has more examples in reference.

I encourage everyone to demand the minimal IPv6 range you receive is a /64, if your ISP is not doing that you should link them this post and the website referenced above. If you need IPv6 connectivity, Hurricane Electric has their Tunnel Broker you can leverage.

Add Comment