Should AnonRateThrottle work on a per-subnet basis for IPv6?

[Rotzbua]

Checklist

• I have verified that that issue exists against the master branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to the discussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

• Activated AnonRateThrottle
• Access via IPv6
• trigger throttle
• change IPv6 in subnet
• again new tries

Expected behavior

Block IPv6 subnets instead of IPv6 address.

Actual behavior

With IPv6 also the ip only is used. As customer you get from your internet provider a complete subnet /64.
This means you can create 2^64 IPv6 addresses and use them.
So with ipv6 rate limiting does not work as suggested.

Impact

Security: AnonRateThrottle is used to protect login or authentication API.

[tomchristie]

I don't know enough about this to form a judgement, as too if we ought to be matching on a subnet basis for IPv6 or not, or what the implications are. If a users IPv6 address stays constant unless there's deliberate intervention (Your "change IPv6 in subnet" step) then we might be perfectly happy with things as they are.

I wouldn't class this as security, but then I think we need to do a better job of documenting application-level throttling as absolutely definitively not being a security feature. It's a useful business feature. (Ensure that the majority of your customers abide within particular limits.)

Is there any other prior art for us to base our decisions here against?

[timmc-edx]

Here's some additional information on what's needed for IPv6 rate-limiting: https://adam-p.ca/blog/2022/02/ipv6-rate-limiting/. It sounds like doing this right can get pretty complicated, but there's a huge improvement that can be made with very little effort:

For a quick fix, block IPv6 /64s rather than individual IPs. It might not be perfect, but it’s 2⁶⁴ times better.

😄