Wikidata:Requests for comment/Adapt blocking policy to IPv6 networks
An editor has requested the community to provide input on "Adapt blocking policy to IPv6 networks" via the Requests for comment (RFC) process. This is the discussion page regarding the issue.
If you have an opinion regarding this issue, feel free to comment below. Thank you! |
Greetings, I hereby request an update to our Wikidata:Blocking policy to address a quirk of IPv6 networks and addresses. For reference, please see en:IPv6 address#Address space. By design and by implementation, IPv6 addresses work as follows: they are typically provisioned to consumers as a /56 to /64 block. The /64 is the smallest recommended block to be provisioned, even to a single user, even to a single device. Yes, you read that right: that's nearly 18,446,744,073,709,551,615 addresses given to a single device.
IPv6 users will always hop among addresses, and this is not by intent or deliberate evasion. IPv6 implementations, in Windows, Linux, macOS, etc, are designed to change the Interface ID on very small time scales, such as minutes, hours, or days. The Interface ID is the rightmost 64 bits of an IPv6 address, while the leftmost 64 bits (network prefix) are split between "Routing prefix" and "Subnet ID".
Administrators may be accustomed to block a single /32 IPv4 address. This can be effective for stable IPs and will effectively stop abuse in many cases. Also, small rangeblocks are very effective, such as a /24, affecting about 254 usable host addresses. These are always going to be the same ISP, and often the same geographic area or POP, and so collateral damage can be appropriately limited. It may seem shocking to administrators that blocking a /64 IPv6 address entails zero collateral damage, but that's how it works!
See also
[edit]- Wikidata:Administrators' noticeboard/Archive/2023/07#Report concerning User:2607:fb91:22c7:9b3:ac39:b712:b3e7:cbce
- MediaWiki Help: IPv6 Range Blocks
- en:User:TonyBallioni/Just block the /64
Proposal:
- When blocking editors based on IPv6 address, administrators should begin by blocking the /64, which is the minimum viable range, and usually pertains to a single user and a single device.
- IPv6 blocks with /64 (or /80 or /96 or /112) do not entail "collateral damage", and they are necessary to ensure total coverage of the source device using IPv6. A /64 block should be considered by administrators to be equivalent to a /32 block on a single IPv4 address. (MediaWiki Help)
- IPv6 blocks against a /128 "single address" Interface ID will prove ineffective within hours or days, as the disruptive editor's own system randomizes and resets to a new, unrelated Interface ID.
- IPv6 addresses are more likely than IPv4 to be stable and statically-assigned, with the exception of mobile broadband services, and therefore IPv6 blocking may be considered a comparatively effective means to prevent abuse and disruption.
Comments
[edit]- So isn't this pretty much common knowledge already among admins? Sounds more like content for an admin handbook, not for the blocking policy. —MisterSynergy (talk) 21:42, 9 August 2023 (UTC)
- I agree that's it's not really an amendment to the policy, but I'm not sure it is common knowledge either. I know I've had to go back on a couple of my vandalism reports to ask the blocking admin to extend the block to the /64 range because only the single IP address was blocked and the vandal jumped to another IP within the range. –FlyingAce✈hello 14:34, 14 August 2023 (UTC)
- So as far as I can see this RfC came into existence precisely because of admins handling IPv6 blocks incorrectly (example). I don't know what's the proper way to educate admins on this. Admins recruit from a wide variety of backgrounds and evidently don't necessarily have the knowledge they need to issue effective blocks. Introducing a binding rule: "IPv6 blocks should always block at least a 64 bit range" would probably help some admins. -- Dr.üsenfieber (talk) 10:05, 18 August 2023 (UTC)
- There is no need to change the blocking of IP6 addresses, in most cases it is sufficient to simply block them. If an IP6 address changes or active LTAs, we can block the range - the administrators need to know this.--WikiBayer (talk) 13:59, 15 January 2024 (UTC)
- In general nothing in our admin recruitment process that guarrants the necessary knowledge. I don't think the blocking policy page would be the best place to communicate that knowledge. A link from Special:Block to MediaWiki Help: IPv6 Range Blocks would do the job better. ChristianKl ❪✉❫ 14:46, 24 April 2024 (UTC)