Twin Cities Security User Group

Slashdot.org has an interesting discussion on the transition from IPv4 to IPv6.  Basically as regions and areas migrate to IPv6, their traffic to the remaining IPv4 users will appear to come from a shared NAT'd IPv6-IPv4 gateway.  This will cause headache for products that depend on IP address reputation filtering (e.g. SBG).

http://tech.slashdot.org/story/10/12/17/2226230/Carrier-Trick-To-Save-IPv4-Could-Help-Spammers

As usual with slahdot, there is a lot of noise.

I'm at a SBG site with 50k+ users and we don't expect to be on IPv6 any time soon, so I expect this transition could be a problem for us inbound,  and outbound for the mail we send to customers who have migrated to IPv6 address space.

Symantec

   -  are you seeing an impact on IP reputation already?

    - is there a time line for SBG IPv6 support?

   - when spammers move into IPv6 blocks how will SBG be effected

   - how soon does Symantec expect the spammer migration to take?  Has is started?

Forum watchers - what are your thoughts?

Excelent questions.  I'd emagine that some of what your asking can be found in the State of Spam reports (http://www.symantec.com/business/theme.jsp?themeid=state_of_spam).

When I get in the office tomorrow I'll ping up the chain and see if we can get some answers.

The Current months report doesn't really talk to this.  I was hoping some users would chime in with their thoughts, IPv6 plans, etc.  Maybe a poll could be put up.

- have you moved to IPv6 at your edge?

- if not - do you have plans to migrate in 1-3 months,  4-6, 6-12, 18 months, someday, no current plans.

My organization is just at the "hmm, we should think about this" stage - mail, and websites, etc.

One of my concerns is that SBG is great at IP based blocking (about 90-95% for us), but not so good at recognizing spam that gets past the IP filters. IPv6 will aggravate this.

I've briefly mentioned IPv6 to my TAM, which got a rise out of SBG (or is it SMG) product manager, but we wern't really ready give guidance to Symantec.

My company is still running v4...I don't know of any plans to change for now. I know we're IPv6-capable but I don't can't imagine a change in the immediate future.

I don't understand the concern though. Is it that spammers will be using IPv6 and there's no IPv6 reputation database or that the spammers will still be using IPv4 and there's no way to filter those based on IP addresses because of the shared NATs?

Both.  SBG isn't IPv6 capable yet, so inbound IPv6 will appear to be behind the NAT,  with possible side effects.

Oooh! Ok I get it =)

Symantec is planning on implementing support for IPv6 in our Brightmail Gateway product line over the next couple of major releases.  We have spent quite a bit of time planning for the change and thinking about the priority for IPv6 implementation.  I agree with Cricket17's idea, it would be great to hear feedback from customers on their IPv6 migration plans.  When we have discussed IPv6 with customers, most are in the exploratory stage and do not have concrete plans on how to make a migration.  Symantec is interested in hearing your thoughts on why, how, and when you plan to migrate to IPv6.  Please send me a note if you would like to join a discussion on IPv6.

We would like to participate in any discussion regarding IPv6 transition. The transitional period, where IPv4 addressing coexists with IPv6 may extend over several years. During this time, there are several significant vulnerabilities that need to be addressed.

The suite of Symantec tools, from Anti-SPAM to SEP Firewalls, must be able to work in this heterogeneous environment. Early adoption of IPv6 by potential customers will force us to provide services over both stacks. Reputation filtering plays a significant role in reducing threat.

Please keep us informed of any telecons or webinars.

Given that the IPv6 space is very large, I'm not sure how efficient IP reputation based scanning is going to be. Potentially the spammers would be able to spam from disposable addresses.

Would be interested to see how this problem will be tackled.

Oz.

Re: spamming from disposable addresses, it seems to me that that goes back to the spammer's network provider.

Once upon a time, a spammer could shop ISPs until they found one rogue enough to sell them service. I believe the anti-spammer's term for that are "pink contracts".

But the days of being able to find such ISPs are increasingly coming to an end, which is why spammers have moved a large portion of their distribution network to compromised zombies and bots, rather than hosting their own spam broadcasting hosts.

If ISPs are allowing residential customers to both send direct SMTP over IPv6, as well as have unlimited IPv6 addresses from which to do that, those ISPs need to be hit with a big clue-hammer.

It seems to me that the transition to IPv6 is not only a danger but an opportunity to impose some well-needed order on some of the chaos. We've never done this sort of thing in the modern history of the Internet. Part of me wishes that ICANN had the ability to revoke address space assignments to national registries or customers who have a history of allocating it to rogue entities.