[Dylan16807]

> For a whitelist system, then by definition yes?

A whitelist system would consider all IPv4 traffic suspicious by default too. This is not an answer to why you'd be suspicious of IPv6 in particular.

> I’ve not heard of any feasible solution more precise than banning huge ranges of ipv6 addresses.

Handling /56s or something like that is about the same as handling individual IPv4 addresses.

[trollbridge]

I try to build things to be INET6 ready, and just repeat /64s like a single host. Eventually this will probably have to broadened to /56s or /48s.

[MichaelZuo]

> A whitelist system would consider all IPv4 traffic suspicious by default too.

Based on what argument…?

[Dylan16807]

The definition of whitelisting. The argument you brought up.

[MichaelZuo]

No…? Someone can clearly implement a whitelist system that applies only to ipv6… but that makes no judgement on ipv4.

[Dylan16807]

Let's back up a step. You said by definition a whitelist system would consider every IPv6 suspicious (until it's put on the list, presumably). What is that definition?

If "applies only to IPv6" is an optional decision someone could make, then it's not part of the definition of a whitelist system for IPs, right?

[MichaelZuo]

What are you talking about?

The prior comment was responding directly to your comment, not any comment preceding that.

Of course it’s no longer by definition if you expand the scope beyond an ipv6 whitelist as there are an infinite number of possible whitelists.

[Dylan16807]

> What are you talking about?

The first comment with the word "whitelist". Before I entered the conversation. This comment: https://news.ycombinator.com/item?id=44449821

lxgr was challenging the idea that you would treat all IPv6 traffic as suspicious.

You justified it by saying that "by definition" "a whitelist system" would do that.

I want your definition of "a whitelist system". Not one of the infinite possible definitions, the one you were using right then while you wrote that comment.

> if you expand the scope beyond an ipv6 whitelist

Your comment before that was talking about IP filtering in general, both v4 and v6!

And then lxgr's comment was about both v4 and v6.

So when you said "a whitelist system" I assumed you were talking about IP whitelists in general.

If you weren't, if you jumped specifically to "IPv6 whitelist", you didn't answer the question they were asking. What is the justification to treat all IPv6 as suspicious? Why are we using the definition of 'IPv6 whitelist' in the first place?