5

Say I am operating a public service. Generally, people behave, but every once in a while someone does not, and it is usually good to know who you're receiving that blessing from.

Hence, assuming

  • that it's a good idea to keep track of recent IPs your users use,
  • that service providers generally give their customers a /64 block, and
  • software such as radvd or even isc-dhcp-server assume they get nothing less than a /64 block
  • that due to privacy extensions, at least Windows allocates multiple addresses in the /64 block that it rotates between (allocating more as it goes on)

would it be a good idea to just throw away the final 64 bit of an IPv6 address, and just keep track of the first 64 bit?

Aaa
  • 261
  • 2
  • 7
  • One small correction to your assumptions: ISPs will generally give their users more than a single /64. Expect /56 or /48 per customer. Exact sizes will vary per ISP. – Sander Steffann Aug 02 '16 at 23:55
  • 3
    Why throw the information away? You will probably need it later. You absolutely will need it for any sort of abuse reporting. – Michael Hampton Aug 03 '16 at 00:08
  • 1
    Good question - if the /64 is assigned by the ISP, and the other 64 bit are generated randomly by the customers' computers, then the other 64 bit appear to be only clutter. In normal operation, a Windows 10 PC with IPv6 will have half a dozen IPv6 addresses assigned to itself, but the /64 will be much more static. – Aaa Aug 03 '16 at 00:48
  • @SanderSteffann I think the point of his assumption is that they don't give customers anything *smaller* than a /64, so that's sufficient to identify the customer. Giving them more than a single /64 doesn't violate that assumption. – Barmar Aug 09 '16 at 18:57

1 Answers1

12

Logging the /64 will get you to the netblock owner, but if/when you actually engage with the real person that is responsible for that network, they're going to want the full /128. With statically-assigned addresses or DHCPv6, they are going to have logs of which machines got which IP addresses, and without the full address, the information you provide loses much of its utility.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Wouldn't the /64 be enough to identify their customer already, though? – Aaa Aug 03 '16 at 00:46
  • 3
    @Stefan Suppose I have your /64. That's probably enough to identify your house, and I can send you a letter or whatever people do. But then how can you tell which of your kids it is so you know who to punish appropriately? – user253751 Aug 03 '16 at 01:19
  • The /64 would have been enough to IP-ban your entire household, though. – user253751 Aug 03 '16 at 01:20
  • 5
    @Stefan How would you identify the customer's customer? This all seems like a lot of thought to save a minuscule amount of disk space. Just save the entire address. – EEAA Aug 03 '16 at 01:21
  • Note that some courts have ruled that an IPv4 address is not legally connectable to a person because of NAT, so throwing out the computer-specific part of the address could be an issue if you ever need to use your logs for legal reasons. If you do have all 128 bits, it's much easier to connect actions done on a specific machine to the user of that machine because there's no NAT. Keeping only there network portion of the address allows the "NAT IP isn't *my* IP" defense from IPv4 to be applied to IPv6. – Moshe Katz Aug 03 '16 at 10:33
  • All right. :) I'm not going to send letters, nor care much about "which kid did it" - usually if I have to block an IP I just don't want to have anything to do with that household period. However, it's true - saving 8 extra bytes won't kill me, and I can always remove clutter in the user interface. Thanks guys! – Aaa Aug 05 '16 at 19:55
  • 1
    Welcome! Have a great weekend. – EEAA Aug 05 '16 at 19:56