Terry Zink

Program Manager

Microsoft

A plan for email over IPv6November 2014

People in the

computer

networking world

IPv6 is coming

Everyone

who works in

email

IPv6 is coming

Why? Because of scale!

Feeding your family

is one thing…

… but feeding the world is another!

Why? Because of scale!

Email spam is a big problem today

because there are so many available

IP addresses and spammers can

rotate through them.

But the full set is limited, only 4 billion

possible IPs. With a near infinite

number of IPs, how can modern filters

keep up?

What we mean by email over

IPv6Already supported in Office 365

Modern spam filters

Modern spam filters

Advantages of IP reputation lists

1. Resource optimization

2. Storage

3. Spam effectiveness

4. Reduced risk

Future spam filters?

Future spam filters? No!

It doesn’t matter how many IPs you

add, you’re always behind.

In IPv6, IP blocklists become too

large. Spammers could get an IP,

send spam and then discard quickly.

How do we know they will do this?

Because they are doing this!

Solution:

Authentication!

Email over IPv6

Have DKIM header?

Pass DKIM?

Pass SPF?

Reject message

No

No

Yes

No

Reject message

Accept message for further processing

Yes

No

Yes

Does connecting IP have PTR

record?

Yes

Solution:

Authentication!

Email over IPv6

Have DKIM header?

Pass DKIM?

Pass SPF?

Reject message

No

No

Yes

No

Reject message

Accept message for further processing

Yes

No

Yes

Does connecting IP have PTR

record?

Yes

1.Sending IPv6 address must have

PTR, and must pass SPF or DKIM

2.Allows communication for those

who need it, senders can always

fallback to IPv4 (if they no how)

3.Potentially less widespread abuse

over IPv6

4.Domain reputation and

authentication is already done today

in IPv4, just not required

Why do it this way?

1. IP reputation will not scale, but domain reputation will

2. Passing SPF or DKIM makes it possible to perform domain reputation

3. Requiring a PTR means that the device intentionally sends email rather than being compromised by malware and sending it as a byproduct of having internet-connectivity;

Most internet-connected devices in IPv6 won’t even have PTR records (and therefore cannot send spam)

Standards

http://xkcd.com/927/

Capacity

Internet

EOP/ExO

IPv6

IPv4

Keep track of this ratio, push back if max IPv6 connections

exceeds threshold

Throttling

Front End

Need to handle the case that a random

machine starts sending too much email that

isn’t necessarily spam.

Roll-up data into a minimum \64 IPv6 range.

Rollout Plan

1. At first, we will manually enable customers

(October 2014)

2. Then, we will widen it to more customers

who manually enable it

3.Finally, it will be available by default

IPv4 vs IPv6

IP reputation

Well understood

Very forgiving

Authentication

nice

Authentication

required

Domain reputation

More rigid

Impact unclear

Conclusions

IPv6 is coming

Eventually we will all send email over

IPv6

We need to do something different

than what we do in IPv4 in order to

control spam