A plan for email over IPv6
-
Upload
terry-zink -
Category
Engineering
-
view
662 -
download
4
Transcript of A plan for email over IPv6
![Page 1: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/1.jpg)
Terry Zink
Program Manager
Microsoft
A plan for email over IPv6November 2014
![Page 2: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/2.jpg)
People in the
computer
networking world
IPv6 is coming
![Page 3: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/3.jpg)
Everyone
who works in
IPv6 is coming
![Page 4: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/4.jpg)
Why? Because of scale!
Feeding your family
is one thing…
… but feeding the world is another!
![Page 5: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/5.jpg)
Why? Because of scale!
Email spam is a big problem today
because there are so many available
IP addresses and spammers can
rotate through them.
But the full set is limited, only 4 billion
possible IPs. With a near infinite
number of IPs, how can modern filters
keep up?
![Page 6: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/6.jpg)
What we mean by email over
IPv6Already supported in Office 365
![Page 7: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/7.jpg)
Modern spam filters
![Page 8: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/8.jpg)
Modern spam filters
Advantages of IP reputation lists
1. Resource optimization
2. Storage
3. Spam effectiveness
4. Reduced risk
![Page 9: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/9.jpg)
Future spam filters?
![Page 10: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/10.jpg)
Future spam filters? No!
It doesn’t matter how many IPs you
add, you’re always behind.
In IPv6, IP blocklists become too
large. Spammers could get an IP,
send spam and then discard quickly.
How do we know they will do this?
Because they are doing this!
![Page 11: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/11.jpg)
Solution:
Authentication!
Email over IPv6
Have DKIM header?
Pass DKIM?
Pass SPF?
Reject message
No
No
Yes
No
Reject message
Accept message for further processing
Yes
No
Yes
Does connecting IP have PTR
record?
Yes
![Page 12: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/12.jpg)
Solution:
Authentication!
Email over IPv6
Have DKIM header?
Pass DKIM?
Pass SPF?
Reject message
No
No
Yes
No
Reject message
Accept message for further processing
Yes
No
Yes
Does connecting IP have PTR
record?
Yes
1.Sending IPv6 address must have
PTR, and must pass SPF or DKIM
2.Allows communication for those
who need it, senders can always
fallback to IPv4 (if they no how)
3.Potentially less widespread abuse
over IPv6
4.Domain reputation and
authentication is already done today
in IPv4, just not required
![Page 13: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/13.jpg)
Why do it this way?
1. IP reputation will not scale, but domain reputation will
2. Passing SPF or DKIM makes it possible to perform domain reputation
3. Requiring a PTR means that the device intentionally sends email rather than being compromised by malware and sending it as a byproduct of having internet-connectivity;
Most internet-connected devices in IPv6 won’t even have PTR records (and therefore cannot send spam)
![Page 14: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/14.jpg)
Standards
http://xkcd.com/927/
![Page 15: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/15.jpg)
Capacity
Internet
EOP/ExO
IPv6
IPv4
Keep track of this ratio, push back if max IPv6 connections
exceeds threshold
![Page 16: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/16.jpg)
Throttling
Front End
Need to handle the case that a random
machine starts sending too much email that
isn’t necessarily spam.
Roll-up data into a minimum \64 IPv6 range.
![Page 17: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/17.jpg)
Rollout Plan
1. At first, we will manually enable customers
(October 2014)
2. Then, we will widen it to more customers
who manually enable it
3.Finally, it will be available by default
![Page 18: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/18.jpg)
IPv4 vs IPv6
IP reputation
Well understood
Very forgiving
Authentication
nice
Authentication
required
Domain reputation
More rigid
Impact unclear
![Page 19: A plan for email over IPv6](https://reader033.fdocuments.net/reader033/viewer/2022042817/55a781101a28ab333e8b4659/html5/thumbnails/19.jpg)
Conclusions
IPv6 is coming
Eventually we will all send email over
IPv6
We need to do something different
than what we do in IPv4 in order to
control spam