A handful of articles in the British tech press earlier this week attracted a lot of attention in the email anti-abuse community because of issues raised about IPv6 potentially obsoleting certain spam-blocking techniques (see: http://www.theregister.co.uk/2011/03/08/ipv6_spam_filtering_headache/). While caution is warranted in the transition to IPv6, there’s no reason to panic.
IP reputation is a cornerstone of abuse prevention for virtually every service on the Internet today, combining a high degree of accuracy with a very inexpensive evaluation algorithm. The statement has been made by some that reputation based on IPv6 addresses will be ‘impossible’ because of the sheer volume of available address space. A common statistic quoted is that a spammer with even a /64 could use a different IP address for every single email message he sends, thus making it impossible to track reputation.
While statements asserting the vastness of the IPv6 address space are completely true, the conclusion that this means IPv6 reputation is impossible completely misses the point. IPv4 reputation tracking techniques would certainly fail to translate directly into IPv6, but why is that the only option? That’s like replacing a wood house with a steel-frame house, but building it using exactly the same architectural plans. A different underlying technology gives the opportunity to innovate and establish an environment where carriers can get the IP-based reputation information they need. And to be clear, IP-based reputation is absolutely essential. Techniques such as whitelists may be able to be used for inter-carrier messaging, but Customer Premise Equipment (CPE) facing services will absolutely require IP-based reputation to protect them from abuse. Such protection is essential in today’s IPv4 world, and it will be just as important in tomorrow’s IPv6 world.
To suggest there are no solutions to this problem is nonsense and denies the real necessity of moving to IPv6. Of course there are solutions to this problem! IPv6 has not changed the fundamental nature of business relationships between carriers and their subscribers. Said another way, a subscriber who today gets an IPv4 /32 or /28 (and only one) will just be a subscriber tomorrow who gets a /64, /56, /48 or whatever. To understand why this is important, one needs to look at what IPv4 reputation systems aim to achieve.
The end goal has never been to assign a reputation to an IP address itself (because a number in itself can neither be a good or bad actor), but instead to create a stable system for inferring the reputation of the user of that address (which is the human or organization behind it, not the device itself). Privacy concerns and effective lookup mechanisms typically block the ability to assign a reputation to an actual individual, but the IP address serves as a reasonable proxy for that individual. Even though with the introduction of IPv6 a subscriber may have a significantly larger number of available addresses and use many of those with various devices (computers, toasters, etc) the adoption of IPv6 will not result in a significant increase in the number of actual subscribers on the network. IPv6 obviously breaks the model of one subscriber equaling one IP address, but ultimately the situation is moderated by to important facts: one subscriber will have one IPv6 prefix, and the number of subscribers is growing at a much more manageable rate.
There is nothing that prevents reputation from being collected based on that assignment prefix, and aggregated appropriately. This can be done on a batch basis, or on a real-time basis given a suitable platform. The only missing piece of information is what that assignment prefix length is. An infrastructure already exists to distribute such information; specifically the reverse DNS infrastructure provides a distributed and delegated basis for carriers to publish their assignment policy for any block of address space. Finally, an incentive is necessary for carriers to publish their policy. That will come in the form of the default aggregation policy for reputation being a /48, in the absence of published information from a carrier. If a carrier does not want longer allocations to be aggregated together into a common /48, they must publish their assignment policy.
The above is just a straw man proposal, and many details remain to be discussed and agreed upon. However, we are working with a variety of stakeholders in the coming months to formalize this into something concrete. At the end of the day, what ends up being agreed to for IPv6 reputation may look very different, but there’s no disagreement that IPv6 reputation is absolutely essential.
Now is not the time to live in fear of what IPv6 will mean. One of the major challenges with abuse in the IPv4 environment is a vast number of legacy systems that prevent the retrofitting of more effective policy restrictions. IPv6 is an opportunity to break those bonds, and for the industry to display true vision towards how to manage abusive traffic on the Internet moving forward. We must acknowledge what challenges will face us, what protections we need, and move forward to find solutions that will meet the needs of the providers that keep the network running. Saying it can’t be done is not an answer that any of us can live with.