Cisco Subnet An independent Cisco community View more

Should You Allow Inbound E-mail Over IPv6?

Why you may not want to allow inbound e-mails over IPv6 transport?

Federal organizations are aiming for September 2012 mandate to IPv6-enable their Internet perimeter applications. This not only includes IPv6-enabling web servers, but also IPv6-enabling e-mail servers. Therefore e-mail servers would be allowing inbound SMTP (TCP port 25) connections over IPv4 and IPv6. However, most e-mail content filtering companies only have defensive capabilities for IPv4. Do organizations really want to allow IPv6 e-mail if it is less secure than IPv4? How Block Lists Work DNS-based BlackLists (DNSBLs), historically called Realtime Blackhole List (RBLs), are lists of public IP addresses that are performing malicious activities like spamming. These lists are distributed via DNS (RBLs were distributed with BGP). These lists can be used by Message Transfer Agents (MTAs) to block e-mail from the sender's IP addresses that appear on the list. This helps cut down on the amount of spam that an organization receives. Over time there have been other adaptations of "Reputation Lists" of IP addresses that are used for hosting malware or are part of a botnet command and control infrastructure. These lists are used by various security appliances to help block malicious e-mail and web content. Even though reputation filters are responsible for 80% or more of the blocked spam, these DNSBLs are not a fool-proof solution. For example, spammers change their source IP addresses rapidly to avoid getting on the list. There could be individual broadband Internet subscriber computers behind a Carrier Grade NAT (CGN)/Large Scale NAT (LSN) system infected with malware that are sourcing malicious e-mail messages. That infected subscriber's public address comes from the LSN public IP pool. We have also known for many years that reputation filters are not a long-term solution as more service providers deploy Large Scale NAT (LSN) systems. Problem Statement If you do not have an IPv6-capable DNSBLs or an IPv6-capable SPAM filter then you may not want to allow inbound Simple Mail Transfer Protocol (SMTP) over IPv6. You may not want to operate an IPv6-enabled network in a less secure manner than you do today with IPv4. We should strive to establish the same security protections for IPv6 as we use today for IPv4. Furthermore, we should be keenly aware of where we lack IPv6 feature parity and avoid enabling IPv6 when it creates a security exposure. There is concern now that enabling inbound e-mail over IPv6 will give the spammers an advantage if the spam filters are not IPv6-capable. Although some organizations with IPv6-enabled e-mail servers have not witnessed large amounts of spam using IPv6, it does not mean that there isn't any spam over IPv6. There is in fact spam over IPv6, the question that we cannot answer accurately today is how much there is. The fear is that the spammers can change their tactics very rapidly and start using IPv6, which may not have all the defensive capabilities of our IPv4 e-mail servers. RIPE published a report almost 2 years ago in an attempt to quantify the amount of "Spam over IPv6". This report showed that the amount of spam sent over IPv6 was proportionally less than the spam sent over IPv4. However, it did confirm that there is spam sent over IPv6 transport. Many Internet Service Providers (ISPs) are wary of IPv6-enabling their e-mail servers and enabling inbound IPv6 e-mail without any protections. This IETF draft discusses this problem and prescribes a phased approach for service providers. We are aware of one DNSBL that uses IPv6 (Virbl-project). Last year, the reputation filter service Spamhaus released their "IPv6 Blocklists Strategy Statement" but does not yet have any IPv6 capabilities in production. Other reputation services like Phishtank and Google Safe Browsing API do not have any IPv6 capabilities. Cisco Security Intelligence Operations (SIO) which is used by their IronPort appliances and Global Correlation for their IPSs is not IPv6-capable. IPv6-Capable E-Mail Security Products We are curious about what e-mail security products support IPv6. We can take a look at the Gartner MQ for e-mail security and see who the major players are in this market. The Gartner Magic Quadrant for Secure E-Mail Gateways (SEGs) (August 10, 2011) does mention that IPv6 is a feature that enterprises need. However, it does not discuss which vendor's solutions are IPv6-capable.

Cisco IronPort does now support IPv6 in their AsyncOS 7.6 which was just released. However, the Cisco ScanSafe system is not IPv6 capable.

Proofpoint issued a press release indicating that they have IPv6 support.

Barracuda's e-mail appliances, Microsoft Forefront Protection 2010 for Exchange Server (FPE), and Sophos do not seem to have any IPv6 capabilities.

1 2 Page
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies