Comment by swinglock
1 day ago
You should block the whole /64, at least. It's often a single host. It's often but not always a single host, that's standardized.
1 day ago
You should block the whole /64, at least. It's often a single host. It's often but not always a single host, that's standardized.
Usually a /64 is a "local network", so in the case of consumer ISPs that's all the devices belonging to a given client, not a single device.
Some ISPs provide multiple /64s, but in the default configuration the router only announces the first /64 to the local network.
In mobile networks it's usually a single device.
Presumably a compromised device can request arbitrarily new ipv6 from the dhcp so the entire block would be compromised. It would be interesting to see if standard dhcp could limit auto leasing to guard reputation of the network
Generally, IPv6 does autoconfiguration (never seen a home router with DHCPv6), so no need to ask for anything. Even for ipv4, I've never seen a home router enforce DHCP (even though it would force the public ip).
But the point stands, you can't selectively punish a single device, you have to cut off the whole block, which may include well-behaved devices.