An interesting article was posted on Slashdot in December:
As public IPv4 addresses dwindle and carriers roll out IPv6, a new problem has surfaced. We have to move through a gray phase where the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4. Multiple-layers of NAT will be required to sustain the Internet for that time, perhaps for years. But use of Large Scale NAT (LSN) systems by service providers will cause problems for many applications and one of them is reputation filtering. Many security filtering systems use lists of public IPv4 addresses to identify “undesirable“ hosts on the Internet. As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt.
In the short term, this is definitely going to be a problem for email security companies that rely strongly on DNSBLs or reputation-based systems.
Scenario: a company NATs1 traffic from a single external IPv4 address to a large IPv6 IP pool. If one of the machines in the IPv6 space is infected and spamming the world, the honeypots collected by any DNSBL or reputation system will classify the IPv4 address as “
dirty“ and block anything behind it, including the IPv6 space. That`s a pretty bleak picture since there`s been a solid shift in email security towards reputation-based services and a de-emphasis on content filtering.
The advantage of using reputation-based systems combined with DNSBLs is that you can block a considerable amount of traffic before actually accepting the complete email. In other words, the more traffic you reject at the front door, the fewer resources needed to scan the messages for bad content on the back end.
Content filtering has several inherent well-known costs: it`s more CPU / memory intensive, and generally more prone to false-positives. It costs a lot more to block a message after accepting the entire body.
However, as we slowly transition to IPv6, email security companies will have no choice but to continue enhancing their content filters, since the reliability of reputation-based systems will likely take a hit.
In other words, the transition period is going to be a real mess. Companies that have maintained strong content-filtering systems will have the upper hand, as others scramble to catch up.
References:
1. http://en.wikipedia.org/wiki/NAT : Network Address Translation
Leave a Comment