IPv6 reputation is doable

The Internet has grown beyond what anybody involved in its early development could have imagined. Who would have thought that a network developed in the 1970s for government and education entities to communicate would have become an indispensable utility touching every aspect of our lives?

One of the things that the original architects of the Internet didn’t anticipate was that Internet Protocol (IP) addresses – the essential way that electronic devices communicate with each other – would become exhausted. Back in the 70s, the 4 billion addresses available under the IP address assignment scheme known as Internet Protocol version 4 (IPv4 for short) seemed more than ample. But just last month, the last block of IPv4 addresses was assigned.

Fortunately, the groups responsible for defining standards for the Internet saw this day coming long ago, and began developing a new version of IP addresses, called Internet Protocol version 6 (IPv6) – (they did not choose version 5 because that was used for an experiment that never saw wide deployment). As opposed to IPv4 which has roughly 4.2 * 10^9 addresses, IPv6 has roughly 3.4 * 10^38 addresses (that is larger than the number of particles believed to exist in the universe). Such a vast address space means that once the Internet and devices connected to it support IPv6, there will be no issue with the number of available addresses for a very, very long time.

Unfortunately, the sheer volume of the IPv6 address space introduces challenges that do not exist in an IPv4 network. For example, many techniques used to track the reputation of an IP address do so based on the entire IPv4 address. Since there are ‘only’ 4 billion possible IPv4 addresses, this is not an unreasonably large number of addresses to account for. Considering the large amount of available IPv6 address space, this technique is not feasible with IPv6 addresses.

Some naysayers have argued that this fact alone means that IP-based reputation will be not be possible for IPv6 addresses at all. A common statistic quoted in support of their argument is that a spammer with even a /64 could use a different IP address for every single email message he sends, thus making it impossible to track reputation.

Statements about the vastness of the IPv6 address space and that assignments given to end subscribers will contain a large number of valid addresses are completely true. Yet, the naysayers’ conclusion that this makes IPv6 reputation impossible is wrong and completely misses the point. Yes, IPv4 reputation tracking techniques won’t translate directly into IPv6, but why should that be the only option? That’s like replacing a wood house with a steel-frame one, but building it using exactly the same architectural plans.

A different underlying technology gives us the opportunity to innovate and establish an environment where carriers can get the IP-based reputation information they need. And to be clear, IP-based reputation is absolutely essential. Techniques such as whitelists may be able to be used for inter-carrier messaging, but Customer Premise Equipment (CPE) facing services will absolutely require IP-based reputation to protect them from abuse. Such protection is essential in today’s IPv4 world, and it will be just as important in tomorrow’s IPv6 world.

To suggest there are no solutions to this problem is nonsense and denies the real necessity of moving to IPv6. Of course there are solutions to this problem! IPv6 has not changed the fundamental nature of business relationships between carriers and their subscribers. Said another way, a subscriber who today gets an IPv4 /32 or /28 (and only one) will just be a subscriber tomorrow who gets a /64, /56, /48 or whatever. To understand why this is important, one needs to look at what IPv4 reputation systems aim to achieve.

The end goal has never been to assign a reputation to an IP address itself (because a number in itself can neither be a good or bad actor), but instead to create a stable system for inferring the reputation of the user of that address (which is the human or organization behind it, not the device itself).

Privacy concerns and effective lookup mechanisms typically block the ability to assign a reputation to an actual individual, but the IP address serves as a reasonable proxy for that individual. Even though with the introduction of IPv6 a subscriber may have a significantly larger number of available addresses and use many of those with various devices (computers, toasters, etc.) the adoption of IPv6 will not result in a significant increase in the number of actual subscribers on the network.

IPv6 obviously breaks the model of one subscriber equaling one IP address, but ultimately the situation is moderated by two important facts: one subscriber will have one IPv6 prefix, and the number of subscribers will grow at a much more manageable rate.

There is nothing that prevents reputation from being collected based on that assignment prefix, and aggregated appropriately. This can be done on a batch basis, or on a real-time basis given a suitable platform. The only missing piece of information is what that assignment prefix length is. An infrastructure already exists to distribute such information; specifically the reverse DNS infrastructure provides a distributed and delegated basis for carriers to publish their assignment policy for any block of address space.

Finally, an incentive is necessary for carriers to publish their policy. That will come in the form of the default aggregation policy for reputation being a /48, in the absence of published information from a carrier. If a carrier does not want longer allocations to be aggregated together into a common /48, they must publish their assignment policy.

The above is just a straw man proposal, and many details remain to be discussed and agreed upon. Yet, it’s essential that the industry’s messaging technology providers work with various stakeholders in the coming months to formalize this into something concrete. At the end of the day, what ends up being agreed to for IPv6 reputation may look very different, but there’s no disagreement that IPv6 reputation is absolutely essential. The challenges described above are not merely faced by messaging environments. Any end-user facing Internet service has attack risk (be it mass registrations, directory harvesting attacks or a denial of service attack). The proposal described above is applicable across the board to any Internet service.

Now is not the time to live in fear of what IPv6 will mean. One of the major challenges with abuse in the IPv4 environment is the vast number of legacy systems that prevent implementation of effective policies. IPv6 is an opportunity to break free of those shackles and for our industry to embrace a vision about how abusive traffic on the Internet will be managed moving forward.

We must acknowledge the challenges that face us, articulate the protections we need, and then move forward to find solutions that keep providers’ networks up and running and their subscribers safe and secure. Saying it can’t be done is not an answer that any of us can live with.