The transition from IPv4 to IPv6 has garnered much industry attention, with the recent World IPv6 Day serving to promote the protocol as the “next generation internet.”
The messaging industry’s understanding of how IPv6 impacts anti-abuse mechanisms is on the increase, but requires a broader acceptance of some of the risks involved with IPv6 connectivity and associated transition and translation technologies. According to recent research by Ovum, only 18 per cent of telecoms executives believe their company is IPv6 ready and tested.
As unallocated IPv4 address space approaches exhaustion, IPv6 deployment becomes more critical for fixed-line operators, mobile operators and enterprises alike. As such, the need for businesses to be prepared for the transition from IPv4 to IPv6 is increasingly important.
While IPv6 solves the problem of limited IPv4 address space, it also increases the chance of introducing security weaknesses within enforceable messaging server policy. As such, without the right tools and knowledge, businesses could be opening themselves up to a variety of issues, all stemming from a large can of spam that may not be so easy to digest.
Lifting the lid on spam
In recent months, spam has been propelled into the media spotlight, with the most recent victim being UK budget hotel group Travelodge. According to The Guardian, in July 2011 Travelodge was forced to apologise after thousands of customers were charged twice for a room booking.
Despite an error occurring within its payment system, Travelodge confirmed that the company’s database was apparently hacked, resulting in some customers receiving spam emails to the address they used to register.
Incidents like this should serve as a warning to companies worldwide – if data is not secured correctly, then businesses run the risk of being open to such attacks. Although spam levels are reportedly in decline, IPv6 networks have the potential to seriously aggravate the very real threat of spam and endanger the reputation and services a business has to offer.
The IPv4 networks most likely to include PCs with bot infections are residential and small office / home office networks that are served by cable or DSL modems. These networks are typically assigned a single public IPv4 (32 bit) address and a compromised PC within this network is only able to send messages from that address. Anything sent from this PC can be isolated and tracked, triggering anti-abuse controls by a receiving messaging server.
Contrasting this environment to IPv6 rollouts, most service providers expect to allocate large IPv6 network space (128-bit) to each customer entity, most commonly in the /56 to /64 prefix size range. If a PC is compromised within one of these networks, it could potentially source traffic from any IP address in that network’s vast assigned IPv6 range.
To illustrate the potential scale of this problem, a single /64 customer network range could be used to launch a spam attack where just one message is sent from each IPv6 address in the range. This means a spammer could send enormous amounts of spam without ever re-using a single IP address from inside its assigned network block.
With the potential of IPv6 to cause such large-scale security issues, businesses need to be prepared for the consequences. If a business is not using IPv6-ready infrastructures and IT systems, a potential security breach of the network could result in customer databases being inundated with seemingly legitimate messages offering out-of-this-world offers and links to unknown sites.
Customers engaging with the brand will become annoyed and cease to use the business’ service, resulting in customer churn and a damaged reputation. As individuals turn to trusted and better-protected brands, businesses will ultimately experience a decline in sales, landing a final blow to the already bruised company.
Making your business IPv6-friendly
As the need for deploying IPv6 becomes mandatory, there is significant pressure on IT departments to migrate all services. However, introducing services to external IPv6 networks in messaging infrastructures will require further Internet evolution, if we are to enable a similar level of protection to what currently exists in IPv4 networks.
This includes the ability to ascertain a remote network’s default IPv6 prefix allocation size, as well as to develop rational migration plans that do not compromise internal messaging systems. Additionally, IT departments must be capable of sizing the impact of any migration plan on their infrastructure.
This should involve a thorough evaluation of the security systems available with IPv4 to determine how the same services can be provided after the transition to IPv6. For elements that cannot be afforded similar protections under IPv6, IPv4 should remain the preferred interface until the environment has sufficiently evolved. This is a crucial and important first step in the planning process.
Where next for your business?
For businesses to ensure secure and reliable digital engagement across all platforms in an IPv6 network, there needs to be a realistic assessment of the current, limited view of the threat landscape posed by IPv6. Ultimately, it is the business that must take responsibility for the stability and security of the channels of engagement used by customers, such as the messaging infrastructure.
By working together, businesses, IT departments and the wider messaging and network communities can produce strategies and scalable mechanisms that allow enterprises to prepare and sustain their current infrastructure and technology selection.
Without early discussion and consensus on the implications of IPv6, individual policies will be created and implemented which will inhibit or compromise messaging security, opening the door to widespread abuse from attackers and customer dissatisfaction.