IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))

["David F. Skoll" <df...@roaringpenguin.com>]

On Wed, 01 Dec 2010 16:55:17 +0000
Martin Gregorie <ma...@gregorie.org> wrote:

> Besides, I seem to remember hearing that IPV6 is never anonymous

Where did you hear that?  I can't imagine that
IPv6 is any less (or any more) anonymous than IPv4.

> OT comment 1: if IPV6 is indeed never anonymous, where does *that*
> leave spammers and botnets.

Spammers and botnets *do not care* about anonymity.  Why should they
when they can easily steal someone's identity by subverting his or her
computer?  That is why pretending that strong authentication will affect
spam is fantasyland.

[Well, the botnet operators care about personal anonymity, I guess, so
they cover their tracks.  But they don't care about anonymity as far as
interacting with SMTP servers goes.]

Regards,

David.

Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))

[Ken A <ka...@pacific.net>]

On 12/1/2010 11:47 AM, Rob McEwen wrote:
> On 12/1/2010 12:05 PM, David F. Skoll wrote:
>> Where did you hear that?  I can't imagine that
>> IPv6 is any less (or any more) anonymous than IPv4.
>
> One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's
> nightmare. A spammers (and blackhat ESPs) would potentially send out
> each spam from a different IP and then not use each IP again for YEARS!
>
> This will make DNSBLs much less effective.. and it will bloat their file
> sizes and memory/resource requirements exponentially. The DNSBLs will
> have no choice but to make their entire DNSBL the equivalent of a /24
> list today... except painting with a much broader stroke, and many will
> complain about unfair collateral damage. Even then, the bloat will STILL
> be out of control.
>
> SOLUTIONS?
>
> Personally, I prefer everyone everywhere agree that, unless the e-mail
> is password authenticated to one's own mail server, all mail be rejected
> unless the mail server had IPv4. But purists won't like that because
> their goal is to eventually *end* IPv4.
>
> So what else could be done?

v6 is now at the core and at the edge, and much of the server-to-server 
talking in the middle is going to remain v4 for a while. Significant 
numbers of smtp servers will remain v4 only, and so v6 only servers will 
need to use a v4 gateway to be of any real use to their customers. I 
think we can safely firewall, or whitelist v6 on port 25 until we have a 
useful whitelist, and probably a large droplist. Greylisting and 
watching for IPv6 "hopping" would probably be useful too..

Ken


>
> If we must receive mail from IPv6 IPs, then I recommend doing the
> equivalent of the following (put in IPv4 terms for simplicity):
>
> (A) All other non-authenticated mail rejected... unless the message came
> from a "XXX.XXX.XXX.0" IP (this is in IPv4 terms... translate this into
> some equivalent IPv6 standard... but case a super wide net!) That will
> greatly reduces the number of possible valid mail sending IP. (again,
> auth mail to one's own server need not fulfill this standard)
>
> (b) industry wide, agree that mail is NOT accepted from IPv6 unless it
> does "Forward Confirmed reverse DNS" FCrDNS
>
> If one or both of those were agreed upon up front--this would go a long
> way towards preventing the coming nightmare. (and forgive me of RFCs
> have already established those as absolute standards for IPv6... I
> haven't kept up with all the RFC for IPv6!)
>

-- 
Ken Anderson
Pacific Internet - http://www.pacific.net

Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))

["David F. Skoll" <df...@roaringpenguin.com>]

On Wed, 01 Dec 2010 13:29:28 -0500
Rob McEwen <ro...@invaluement.com> wrote:

> When DNSBL resources are order of magnitudes higher... when the
> largest data files for DNSBLs go from 100MB to probably Terabytes...
> and then trying to transfer that via rsync... and getting all the
> mirrors to handle loading that much data into rbldnsd... THAT will be
> a nightmare. (will Terabytes of RAM be affordable anytime soon?)

I don't follow you.  DNSBLs will only list addresses (actually, /64s)
that have been seen to be abusive.  That number is limited not by the
number of possible IPv6 addresses, but by the number of actual /64
allocations.

[...]

> We have a chance to impose some strict standards for mail sending on
> IPv6 that will lessen these problems. Why wait until its too late?

Because those strict standards all make sending mail less convenient
without affecting spam.

Regards,

David.

Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))

[Ted Mittelstaedt <te...@ipinc.net>]

On 12/1/2010 10:29 AM, Rob McEwen wrote:
> On 12/1/2010 12:55 PM, David F. Skoll wrote:
>> I don't see any nightmare.
>
> When DNSBL resources are order of magnitudes higher... when the largest
> data files for DNSBLs go from 100MB to probably Terabytes... and then
> trying to transfer that via rsync... and getting all the mirrors to
> handle loading that much data into rbldnsd... THAT will be a nightmare.
> (will Terabytes of RAM be affordable anytime soon?)
>
>> DNSBLs are a useful anti-spam tool that
>> will be made somewhat less effective with the advent of IPv6, but they're
>> by no means the only or most effective anti-spam tool we have.
>
> Not the only tool... but (particularly for IP DNSBLs worthy of blocking
> at the MTA...) they are the BEST tool from a price/performance
> perspective. In contrast, content scanning messages is comparatively
> resource expensive.
>

which we currently are doing.

If Wonkulating Gronkulator ISP Inc. has 2000 customers on their
mailserver in an IPv4 world, they will have 2000 customers on their
IPv6-enabled mailserver.  They will thus be doing the same amount of
work content scanning on the IPv6-enabled mailserver as they are now
doing on the IPv4-enabled mailserver.

Adding more IP addresses into the market isn't going to increase
the amount of spam being sent.

What really increases the amount of spam being sent (IMHO) is
increasing the number of HOSTS that can directly send out via
port 25.

Without question the real driver of IPv6 is stuff like cell phones,
blue ray players, and so on that need more IP addresses.  Do these
devices need unrestricted port 25 access?  Absolutely not.  So it
seems that the organizations constructing the IPv6 networks that these
devices need, have every incentive to be responsible and block such
access.

If for example your an ISP managing a FIOS network who is looking into 
going to IPv6 you know your going to either have to replace firmware in
your customer's CPEs or provide them with new CPEs.  And the new
CPE cannot depend on NAT it will need to have a real firewall in it.
Why would you NOT set an outbound port25 block as a DEFAULT?

Today, Comcast blocks SMB ports, I have run tests with techs here and
I can guarantee that it is impossible to map a drive over Comcast,
unless you either use nonstandard ports or put it in a VPN.  Yet
does the average customer notice?  NO.  So then why would it be so
difficult for them to block port 25?  it WOULDN'T.

We know that with the newer broadband networks - wiMax, cable, fios
and FTTN, that in the US at any rate we are heading into a monopoly
age where the wire carrier will be the ISP.  Thus there will not be
many ISPs out there and those that will be out there will be
gigantic.  We know that for these megaliths to go to IPv6 they will
need to forklift upgrade their CPE's.  We also know these CPEs will
not be NAT devices and thus will need stateful firewalls to do IPv6.

So the opportunity is to have the ISPs today that will be doing this
set the defaults in these CPE devices to block things like outbound
SMTP.  If the customer is clueful they can login and turn off the
block, if they are clueless they should definitely not be turning
off any SMTP blocks.

Problem solved.

Ted

> I suppose a nation's military *could* fight a war without airplanes,
> without ships, and without missiles.. and just depend on the foot
> soldiers and tanks to do *all* the work. But is that wise? Does that
> happen without a steep price?
>
> We have a chance to impose some strict standards for mail sending on
> IPv6 that will lessen these problems. Why wait until its too late?
>

Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))

[Rob McEwen <ro...@invaluement.com>]

On 12/1/2010 12:55 PM, David F. Skoll wrote:
> I don't see any nightmare.

When DNSBL resources are order of magnitudes higher... when the largest
data files for DNSBLs go from 100MB to probably Terabytes... and then
trying to transfer that via rsync... and getting all the mirrors to
handle loading that much data into rbldnsd... THAT will be a nightmare.
(will Terabytes of RAM be affordable anytime soon?)

> DNSBLs are a useful anti-spam tool that
> will be made somewhat less effective with the advent of IPv6, but they're
> by no means the only or most effective anti-spam tool we have.

Not the only tool... but (particularly for IP DNSBLs worthy of blocking
at the MTA...) they are the BEST tool from a price/performance
perspective. In contrast, content scanning messages is comparatively
resource expensive.

I suppose a nation's military *could* fight a war without airplanes,
without ships, and without missiles.. and just depend on the foot
soldiers and tanks to do *all* the work. But is that wise? Does that
happen without a steep price?

We have a chance to impose some strict standards for mail sending on
IPv6 that will lessen these problems. Why wait until its too late?

-- 
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032

Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))

[Jason Bertoch <ja...@i6ix.com>]

On 2010/12/01 12:55 PM, David F. Skoll wrote:
>
> Actually, since the smallest allocation unit is a /64, you could switch
> IP addresses once per nanosecond and not run out for almost 585 years.
> If you have a /48, you could last for about 38 million years.
>
> So at a minimium, an IPv6 DNSBL will have to list a /64, not individual
> IPv6 addresses.  That's fine.  Most botnet nodes are individual home PCs
> and they won't be able to pick an address outside their /64 allocation
> (assuming a competent ISP... a big assumption!)
>

For what it's worth, the recommended allocation to end users is a /56 to 
the home and a /48 to small businesses, though many are suggesting a /48 
to everyone to keep routing simpler.

> Also, DNSWLs will start becoming more important as we concentrate on
> listing known-good machines.
>

+1  blacklists simply won't be able to maintain unless they list the 
entire prefix, and even that won't last forever.

>
> Rob McEwen wrote:
>
>> If one or both of those were agreed upon up front--this would go a
>> long way towards preventing the coming nightmare.

E-mail is already being sent on IPv6.  Better hurry up on writing those 
RFC's!

-- 
/Jason

Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))

["David F. Skoll" <df...@roaringpenguin.com>]

On Wed, 01 Dec 2010 12:47:16 -0500
Rob McEwen <ro...@invaluement.com> wrote:

> One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's
> nightmare. A spammers (and blackhat ESPs) would potentially send out
> each spam from a different IP and then not use each IP again for
> YEARS!

Actually, since the smallest allocation unit is a /64, you could switch
IP addresses once per nanosecond and not run out for almost 585 years.
If you have a /48, you could last for about 38 million years.

So at a minimium, an IPv6 DNSBL will have to list a /64, not individual
IPv6 addresses.  That's fine.  Most botnet nodes are individual home PCs
and they won't be able to pick an address outside their /64 allocation
(assuming a competent ISP... a big assumption!)

Also, DNSWLs will start becoming more important as we concentrate on
listing known-good machines.

> Personally, I prefer everyone everywhere agree that, unless the e-mail
> is password authenticated to one's own mail server, all mail be
> rejected unless the mail server had IPv4. But purists won't like that
> because their goal is to eventually *end* IPv4.

It's not just purists who won't like that.  At some point, you won't
be able to *get* an IPv4 address.

[...]

> If one or both of those were agreed upon up front--this would go a
> long way towards preventing the coming nightmare. (and forgive me of
> RFCs have already established those as absolute standards for IPv6...
> I haven't kept up with all the RFC for IPv6!)

I don't see any nightmare.  DNSBLs are a useful anti-spam tool that
will be made somewhat less effective with the advent of IPv6, but they're
by no means the only or most effective anti-spam tool we have.

Regards,

David.

Re: IPv6 and anonymity (was Re: Do we need a new SMTP protocol? (OT))

[Rob McEwen <ro...@invaluement.com>]

On 12/1/2010 12:05 PM, David F. Skoll wrote:
> Where did you hear that?  I can't imagine that
> IPv6 is any less (or any more) anonymous than IPv4.

One HUGE problem is that IPv6 will be a spammer's dream and a DNSBL's
nightmare. A spammers (and blackhat ESPs) would potentially send out
each spam from a different IP and then not use each IP again for YEARS!

This will make DNSBLs much less effective.. and it will bloat their file
sizes and memory/resource requirements exponentially. The DNSBLs will
have no choice but to make their entire DNSBL the equivalent of a /24
list today... except painting with a much broader stroke, and many will
complain about unfair collateral damage. Even then, the bloat will STILL
be out of control.

SOLUTIONS?

Personally, I prefer everyone everywhere agree that, unless the e-mail
is password authenticated to one's own mail server, all mail be rejected
unless the mail server had IPv4. But purists won't like that because
their goal is to eventually *end* IPv4.

So what else could be done?

If we must receive mail from IPv6 IPs, then I recommend doing the
equivalent of the following (put in IPv4 terms for simplicity):

(A) All other non-authenticated mail rejected... unless the message came
from a "XXX.XXX.XXX.0" IP (this is in IPv4 terms... translate this into
some equivalent IPv6 standard... but case a super wide net!) That will
greatly reduces the number of possible valid mail sending IP. (again,
auth mail to one's own server need not fulfill this standard)

(b) industry wide, agree that mail is NOT accepted from IPv6 unless it
does "Forward Confirmed reverse DNS" FCrDNS

If one or both of those were agreed upon up front--this would go a long
way towards preventing the coming nightmare. (and forgive me of RFCs
have already established those as absolute standards for IPv6... I
haven't kept up with all the RFC for IPv6!)

-- 
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032