Cloudmark tackles IPv6

Messaging vendor leads in addressing security, anti-spamming problems caused by next-gen Internet protocol

Cloudmark is among the first messaging vendors to tackle the vexing issues related to integrating large-scale e-mail services with the next-generation Internet Protocol called IPv6

Cloudmark offers several IPv6-related features in its e-mail security suite for carriers, government agencies and large multinationals. The suite includes: Cloudmark Gateway, a mail transfer agent; Cloudmark Authority, a message filtering system; and Cloudmark Sender Intelligence, an anti-spam system that uses real-time data from the Cloudmark Global Threat Network to create profiles of good, bad and suspect senders.

The Cloudmark Gateway allows network operators in native IPv6 or dual-stack IPv4 and IPv6 environments to transit messages through the messaging server and out to the Internet, which overwhelmingly runs IPv4, the original version of the Internet Protocol.

Cloudmark also is developing new techniques that will allow carriers to track e-mail sender reputation in IPv6. These include the ability to track messages by IPv6 network address prefix, instead of individual IP address, which will make it easier to identify spammers in IPv6 environments.

Among Cloudmark's customers is Comcast, which has thousands of IPv6 customers across the United States.

"We have a number of carrier customers in Japan, North America and Europe that are in the process of deploying IPv6," says Kevin San Diego, vice president of product management at Cloudmark. "These folks are starting to look at new customers as IPv6 connected and bringing them through translation and transition technologies to get out to the general Internet. They are interested in being able to accept IPv6 email traffic from network customers over IPv6 and IPv4 today, which allows them continued growth."

MORE: Cloudmark's recommendations for SMTP deployments in IPv6 networks 

Carriers like Comcast are migrating to IPv6 because the Internet is running out of addresses using IPv4. The free pool of unassigned IPv4 addresses expired in February, and in April the Asia Pacific region ran out of all but a few IPv4 addresses being held in reserve for startups. The American Registry for Internet Numbers (ARIN), which doles out IP addresses to network operators in North America, is projtected to deplete its supply of IPv4 addresses within the next 18 months.

IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet, but IPv6 uses 128-bit addresses and can connect up a virtually unlimited number of devices: 2 to the 128th power. IPv6 offers the promise of faster, less-costly Internet services than the alternative, which is to extend the life of IPv4 using network address translation (NAT) devices

IPv6 introduces several difficult issues related to managing email on large networks. For example, IPv4 has 4.3 billion IP addresses that can be tracked by tools such as Cloudmark Sender Intelligence to isolate spammers. Because the supply of IPv4 is scarce, each residential customer gets one IPv4 address. This means companies like Cloudmark can identify spammers by the IPv4 address they use.

With IPv6, however, residential customers will be given what's called a /64, which equals an enormous number of IPv6 addresses:18,446,744,073,709,551,616. Spammers will be able to switch from one IPv6 address to another in their residential block of IPv6 addresses, making it harder for carriers to isolate them. With a /64, a spammer can send one message per second for the entire year without using the same IPv6 address.

"With IPv6, you can no longer track negative reputation by IP address," San Diego says. "You lose the ability to block and throttle based on previous seen activity. Spammers will be able to continually change their sending IP address and easily shed any negative reputation."

Cloudmark is working with standards bodies to develop a common way to track spammers through IPv6 network prefixes. The company is also looking at positive reputation services using authentication techniques such as DomainKeys Identified Mail (DKIM).

Insider Shootout: Best security tools for small business
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies