[throw0101d]

I have not had a deal with this, but if I was going to, I would start at the /64 and move up by nibble (4-bit) boundaries: /64, /60, /56, /52, /48.

/56 is often recommended as the minimum as for a (residential) customer. /48 is considered a "site" address prefix, and is the smallest allocation that can be advertised in BGP:

* https://blog.apnic.net/2020/06/01/why-is-a-48-the-recommende...

* https://www.infoblox.com/blog/ipv6-coe/a-48-for-every-site-a...

You get 65k subnets with it, which is what you get with 10/8.

[roryirvine]

Yes, /64 is a reasonable starting point for blocking outright, but /48 is the right unit for scoring reputation.

[GoblinSlayer]

APNIC blog says /48 prefixes are for global routing, i.e. site=country there, not web server.

>/48 is the minimum prefix size that will be routed globally in the BGP.

[Dagger2]

I'm not sure if I'm misreading you, but a /48 would never be an entire country's v6 allocation.

If we're talking home networks, you can reliably expect a /48 to a) not be announced in BGP itself, and b) cover one to a few hundred users of one ISP. (The containing /32 or similar will be announced.) A business might structure its network so that one of its /48s corresponds to a country, but in that case the /48 would be covering just that business, which would be a sensible unit for reputation tracking.

[GoblinSlayer]

Reputation unit is /64 block, so if you want to see a 100 people ISP as one reputation unit, it should get a /64 block. But AFAIK today in practice reputation unit is a country.

[Dagger2]

Country would be far too coarse to be useful. I suspect it's more likely to be at the AS level, or /32 or somewhere around there.

I have a /48. The amount of "we have detected unusual activity from your network" messages I get from sites, when I'm reasonably sure the only activity coming from my network is my usual activity on those sites, suggests that they're using something bigger than /48.