The easiest solution for implementing IPv6 for e-mail is not to do it at all, according to founder and president of Roaring Penguin Software David Skoll.
“I don’t see much reason to run e-mail on IPv6 yet,” he said during a presentation on IPv6 and e-mail at the IPv6 Summit at the University of Ottawa last week.
But if an organization is interested in doing it, there aren’t too many big problems, Skoll added. Assuming the computing environment has a modern operating system and server—
anything newer than Windows 2000—“you get yourself connectivity, you turn on IPv6 and you’re done. You can send and receive e-mail over IPv6,” he said.
Despite his perhaps over simplification of the IPv6 impact on e-mail, Skoll did highlight some pitfalls to avoid when doing an IPv6 deployment for e-mail. He highlighted reverse look-ups, content filtering and geo-location as problem areas.
For reverse look-ups, he said, in an IPv6 environment, they are obsolete and could actually be dangerous. “Because an attacker can command (a very large number of IP addresses), they can fill your cache really fast. They can have a DNS server on their end to generate … but your caching DNS server doesn’t know about that. It has to catch everything in the lookup, so they can blow your cache right out of the water,” Skoll explained.
Spam filtering systems using reputation parameters can also be negatively affected by IPv6. In an IPv4 internet, it’s an effective way to block a lot of spam because it determines the reputation of the sender and if it’s judged to be bad, it rejects the connection. The problem, according to Skoll, is there aren’t very many reputation systems that support IPv6 and there isn’t a standard for doing IPv6 reputational tasks.
“One option is to do it the same way you do a reverse look up,” explained Skoll. “But then again you get to the problem of blown caches and how so many addresses can fill your cache with hits for no such domain.”
The Roaring Penguin president offered up recommendations when dealing with e-mail and IPv6.
At top of his list is the politically incorrect solution: “not even bother with IPv6 for e-mail.”
If IPv6 is enabled for e-mail, disable the reverse look-up for IPv6 addresses.
If you use IPv6 reputation systems, don’t look up the data over DNS to arrange for a zone transfer.
Because of the huge IPv6 address space, geo-location becomes harder.
Said Skoll: “It will probably stay that way for a while, so you’re going to have do more content filtering, less IP reputation and that means more CPU power” and everything else that comes with that.
He added another piece of advice with respect to spam filtering.
“Make sure that all of your software from the OS all the way up to your mail readers, filters and everything will handle IPv6,” Skoll said. “Most cheap commercial spam filters don’t do IPv6 and when you speak to the vendors, they don’t care.”