際際滷

際際滷Share a Scribd company logo

A plan for email over IPv6

?Download as PPTX, PDF?
?
T
Terry Zink

Terry Zink of Microsoft explains a general industry plan for sending and receiving email over IPv6. It includes requiring the sending IPv6 address to have a PTR record, and the sender must pass SPF or DKIM authentication. In addition, Office 365 does some basic capacity planning in its IPv6 implementation.

1 of 19
A plan for email over IPv6 November 2014 Terry Zink Program Manager Microsoft
IPv6 is coming People in the computer networking world
Everyone who works in email IPv6 is coming
Why? Because of scale! Feeding your family is one thing´ ´ but feeding the world is another!
Why? Because of scale! Email spam is a big problem today because there are so many available IP addresses and spammers can rotate through them. But the full set is limited, only 4 billion possible IPs. With a near infinite number of IPs, how can modern filters keep up?
What we mean by email over IPv6 Already supported in Office 365
Modern spam filters
Modern spam filters Advantages of IP reputation lists 1. Resource optimization 2. Storage 3. Spam effectiveness 4. Reduced risk
Future spam filters?
Future spam filters? No! It doesn¨t matter how many IPs you add, you¨re always behind. In IPv6, IP blocklists become too large. Spammers could get an IP, send spam and then discard quickly. How do we know they will do this? Because they are doing this!
Solution: Authentication! Email over IPv6 Yes Have DKIM header? Pass DKIM? Pass SPF? Reject message No No Yes No Reject message Accept message for further processing Yes No Does connecting IP have PTR record? Yes
Solution: Authentication! Email over IPv6 1.Sending IPv6 address must have PTR, and must pass SPF or DKIM 2.Allows communication for those who Yes need it, senders can always fallback to IPv4 (if they no how) Have DKIM header? Pass DKIM? Pass SPF? Reject message No No Yes No Reject message Accept message for further processing Yes No Does connecting IP have PTR record? Yes 3.Potentially less widespread abuse over IPv6 4.Domain reputation and authentication is already done today in IPv4, just not required
Why do it this way? 1. IP reputation will not scale, but domain reputation will 2. Passing SPF or DKIM makes it possible to perform domain reputation 3. Requiring a PTR means that the device intentionally sends email rather than being compromised by malware and sending it as a byproduct of having internet-connectivity; Most internet-connected devices in IPv6 won¨t even have PTR records (and therefore cannot send spam)
Standards http://xkcd.com/927/
Capacity Internet EOP/ExO IPv6 IPv4 Keep track of this ratio, push back if max IPv6 connections exceeds threshold
Throttling Front End Need to handle the case that a random machine starts sending too much email that isn¨t necessarily spam. Roll-up data into a minimum 64 IPv6 range.
Rollout Plan 1. At first, we will manually enable customers (October 2014) 2. Then, we will widen it to more customers who manually enable it 3.Finally, it will be available by default
IPv4 vs IPv6 Authentication nice Very forgiving IP reputation Well understood Authentication required More rigid Domain reputation Impact unclear
Conclusions ? IPv6 is coming ? Eventually we will all send email over IPv6 ? We need to do something different than what we do in IPv4 in order to control spam

More Related Content

A plan for email over IPv6

  • 1. A plan for email over IPv6 November 2014 Terry Zink Program Manager Microsoft
  • 2. IPv6 is coming People in the computer networking world
  • 3. Everyone who works in email IPv6 is coming
  • 4. Why? Because of scale! Feeding your family is one thing´ ´ but feeding the world is another!
  • 5. Why? Because of scale! Email spam is a big problem today because there are so many available IP addresses and spammers can rotate through them. But the full set is limited, only 4 billion possible IPs. With a near infinite number of IPs, how can modern filters keep up?
  • 6. What we mean by email over IPv6 Already supported in Office 365
  • 8. Modern spam filters Advantages of IP reputation lists 1. Resource optimization 2. Storage 3. Spam effectiveness 4. Reduced risk
  • 10. Future spam filters? No! It doesn¨t matter how many IPs you add, you¨re always behind. In IPv6, IP blocklists become too large. Spammers could get an IP, send spam and then discard quickly. How do we know they will do this? Because they are doing this!
  • 11. Solution: Authentication! Email over IPv6 Yes Have DKIM header? Pass DKIM? Pass SPF? Reject message No No Yes No Reject message Accept message for further processing Yes No Does connecting IP have PTR record? Yes
  • 12. Solution: Authentication! Email over IPv6 1.Sending IPv6 address must have PTR, and must pass SPF or DKIM 2.Allows communication for those who Yes need it, senders can always fallback to IPv4 (if they no how) Have DKIM header? Pass DKIM? Pass SPF? Reject message No No Yes No Reject message Accept message for further processing Yes No Does connecting IP have PTR record? Yes 3.Potentially less widespread abuse over IPv6 4.Domain reputation and authentication is already done today in IPv4, just not required
  • 13. Why do it this way? 1. IP reputation will not scale, but domain reputation will 2. Passing SPF or DKIM makes it possible to perform domain reputation 3. Requiring a PTR means that the device intentionally sends email rather than being compromised by malware and sending it as a byproduct of having internet-connectivity; Most internet-connected devices in IPv6 won¨t even have PTR records (and therefore cannot send spam)
  • 15. Capacity Internet EOP/ExO IPv6 IPv4 Keep track of this ratio, push back if max IPv6 connections exceeds threshold
  • 16. Throttling Front End Need to handle the case that a random machine starts sending too much email that isn¨t necessarily spam. Roll-up data into a minimum 64 IPv6 range.
  • 17. Rollout Plan 1. At first, we will manually enable customers (October 2014) 2. Then, we will widen it to more customers who manually enable it 3.Finally, it will be available by default
  • 18. IPv4 vs IPv6 Authentication nice Very forgiving IP reputation Well understood Authentication required More rigid Domain reputation Impact unclear
  • 19. Conclusions ? IPv6 is coming ? Eventually we will all send email over IPv6 ? We need to do something different than what we do in IPv4 in order to control spam

Editor's Notes

  1. A storm is coming. Email spam is a big problem today because there are so many available IP addresses and spammers can rotate through them. But the full set is limited, only 4 billion possible IPs. With a near infinite number of IPs, how could modern filters keep up?
  2. Yay! IPv6 is great! It will solve all of our problem.s
  3. Resource optimization Storage Spam effectiveness Reduced risk
  4. Doesn¨t matter how many IPs you add, you¨re always behind In IPv6, lists get too large with an IP blocklist Spammers could get an IP, spam and then discard quickly. How do we know they will do this? Because they are doing this!
  5. Doesn¨t matter how many IPs you add, you¨re always behind In IPv6, lists get too large with an IP blocklist Spammers could get an IP, spam and then discard quickly. How do we know they will do this? Because they are doing this!
  6. Allows communication for those who need it (can always fallback to IPv4) No widespread abuse over IPv6 Already do this today in IPv4 (plan to support DKIM)
  7. Allows communication for those who need it (can always fallback to IPv4) No widespread abuse over IPv6 Already do this today in IPv4 (plan to support DKIM)
  8. http://xkcd.com/927/
  9. We will restrict senders from sending too much per \64
  10. At first, we will manually enable customers. Then, we will widen it to more customers who manually enable it. Finally, it will be available by default.