A plan for email over IPv6
-
Upload
terry-zink -
Category
Engineering
-
view
661 -
download
4
Transcript of A plan for email over IPv6
Terry Zink
Program Manager
Microsoft
A plan for email over IPv6November 2014
People in the
computer
networking world
IPv6 is coming
Everyone
who works in
IPv6 is coming
Why? Because of scale!
Feeding your family
is one thing…
… but feeding the world is another!
Why? Because of scale!
Email spam is a big problem today
because there are so many available
IP addresses and spammers can
rotate through them.
But the full set is limited, only 4 billion
possible IPs. With a near infinite
number of IPs, how can modern filters
keep up?
What we mean by email over
IPv6Already supported in Office 365
Modern spam filters
Modern spam filters
Advantages of IP reputation lists
1. Resource optimization
2. Storage
3. Spam effectiveness
4. Reduced risk
Future spam filters?
Future spam filters? No!
It doesn’t matter how many IPs you
add, you’re always behind.
In IPv6, IP blocklists become too
large. Spammers could get an IP,
send spam and then discard quickly.
How do we know they will do this?
Because they are doing this!
Solution:
Authentication!
Email over IPv6
Have DKIM header?
Pass DKIM?
Pass SPF?
Reject message
No
No
Yes
No
Reject message
Accept message for further processing
Yes
No
Yes
Does connecting IP have PTR
record?
Yes
Solution:
Authentication!
Email over IPv6
Have DKIM header?
Pass DKIM?
Pass SPF?
Reject message
No
No
Yes
No
Reject message
Accept message for further processing
Yes
No
Yes
Does connecting IP have PTR
record?
Yes
1.Sending IPv6 address must have
PTR, and must pass SPF or DKIM
2.Allows communication for those
who need it, senders can always
fallback to IPv4 (if they no how)
3.Potentially less widespread abuse
over IPv6
4.Domain reputation and
authentication is already done today
in IPv4, just not required
Why do it this way?
1. IP reputation will not scale, but domain reputation will
2. Passing SPF or DKIM makes it possible to perform domain reputation
3. Requiring a PTR means that the device intentionally sends email rather than being compromised by malware and sending it as a byproduct of having internet-connectivity;
Most internet-connected devices in IPv6 won’t even have PTR records (and therefore cannot send spam)
Standards
http://xkcd.com/927/
Capacity
Internet
EOP/ExO
IPv6
IPv4
Keep track of this ratio, push back if max IPv6 connections
exceeds threshold
Throttling
Front End
Need to handle the case that a random
machine starts sending too much email that
isn’t necessarily spam.
Roll-up data into a minimum \64 IPv6 range.
Rollout Plan
1. At first, we will manually enable customers
(October 2014)
2. Then, we will widen it to more customers
who manually enable it
3.Finally, it will be available by default
IPv4 vs IPv6
IP reputation
Well understood
Very forgiving
Authentication
nice
Authentication
required
Domain reputation
More rigid
Impact unclear
Conclusions
IPv6 is coming
Eventually we will all send email over
IPv6
We need to do something different
than what we do in IPv4 in order to
control spam