IPv6 and Email: What’s the Hurry?
By now, everyone’s heard that the Internet’s running out of unused IPv4 address space; current estimates put the time for exhaustion of available IPv4 space at sometime in the summer of 2011. This has lots of people worrying, or planning, or panicking, or some combination of the three about the transition to IPv6. With IPv6, we won’t have to worry about the problem of limited space anymore, because we’ll move from having just a few billion IP addresses available to more than 340 undecillion of them. The actual number of possible addresses with IPv6 looks like this:
We’ve had conversations with lots of people in the industry about this topic, and the consensus is that everyone must have a strategy for migrating email to IPv6. While no-one rationally believes that one day we’re just going to flip the switch and IPv4 will be no more, IPv6 will be a reality for networking soon (and already is in some places), and it’ll be the only game in town some day.
As for migration strategies for email, I’m going to throw one out here that may run contrary to popular thinking: perhaps there’s no need for you to migrate your public facing email streams to IPv6 in the next few years. Instead, I propose that you slow down, focus on some other things first, and then worry about migrating.
Think about how you manage email today, particularly your inbound email flow. Your focus is keeping spam away from your customers, and you’ve seen the studies that say that spam accounts for 90% or more of all email traffic. Your response to this is blocking, and filtering, and other tools and techniques.
Now, ask yourself two questions:
1. Of the three billion plus routable IP addresses in use today, how many of them are sending mail that your customers want? Fifty thousand? One hundred thousand? Let’s be generous and say one million; that’s still less than four one hundredths of one percent of all IPv4 addresses.
2. Given that, how many of the trillions of trillions of trillions of IPv6 addresses are you going to want to accept mail from, how will you identify them, and how do you plan to refuse the rest?
Perhaps instead of rushing to accept inbound mail over IPv6, you consider the following strategy instead (and I’m speaking here to ISPs and other connectivity providers):
- First, you are going to have to listen for outbound email connections on IPv6 from your own customers, so you’ll want to have an IPv6 interface for your submission port (587, 465, etc.); you can even go so far as to have that same interface listening on port 25, but only for connections from your own customers.
- Next, migrate all your dynamic IP customers to IPv6; servers shouldn’t exist in dynamic space, and so the fact that almost no-one’s listening for inbound connections on an IPv6 interface shouldn’t impact your customers. Moreover, this ought to free up quite a bit of IPv4 space, and it should be returned to your responsible registry, which can then reallocate that space if it sees fit to do so. This strategy does not require that this happen, and those connectivity providers with a mix of static and dynamic customers may find enough swing space freed up in their IPv4 allocations to handle the needs of their static customers themselves during the transition phase.
- While you’re doing the migration, get serious about DKIM and other domain-based strategies for reliably identifying the entity responsible for trying to send mail to your customers; the current IP-based reputation systems and/or block lists haven’t scaled up to the size of IPv6 yet, and some may never get there. Spend as much time as you need building/researching/buying a reputation system based on anything other than IP addresses, and start encouraging senders to authenticate their outbound mail streams using DKIM or whatever standards-based authentication technique you’re supporting.
- While you’re at it, start using the same authentication techniques on your outbound mail streams, too — that’ll help everyone else make the same transition.
My thinking here is that if ISPs can get their dynamic customers migrated to IPv6 early in the process, the IPv4 space that gets freed up could allow senders more time to react to the new paradigm. Instead of dedicating IPs to a given customer’s mail streams (i.e., one or more IPs per mail stream for each customer) as required by IP-based reputation systems, we will move to a new model where domain-based authentication and reputation can be accomplished with many fewer IPs. Whether or not senders will actually need to keep acquiring space to use until we’ve moved to a domain-based model is an open question, but thinking back to our hypothesis on the number of IPs that actually send wanted mail, where I land on that question right now is “perhaps not”. At any rate, once domain-based systems are in place and in widespread usage, then the migration to IPv6 for mail can take place, and the IP address(es) involved in getting that message to your doorstep won’t matter.
So, to sum up, I’m proposing that you not be in any hurry to start accepting mail on an IPv6 interface from the internet at large until you are ready to base all decisions on a domain-based reputation system. I don’t expect that this idea will go unchallenged; rather, I fully expect to hear all manner of counter arguments to this. However, in my opinion, the IPv6 migration is going to present us with all kinds of interesting challenges, and there is no need to add IP-based filtering of email to that pile of challenges.
Related articles by Zemanta
- IPv6: The Four Horsemen of the IPcalypse (circleid.com)
- The Impending Nightmare of IPv6 (pcworld.com)