Slashdot Mirror
Carrier Trick To Save IPv4 Could Help Spammers
Julie188 writes "As public IPv4 addresses dwindle and carriers roll out IPv6, a new problem has surfaced. We have to move through a gray phase where the only new globally routable addresses we can get are IPv6, but most public content we want to reach is still IPv4. Multiple-layers of NAT will be required to sustain the Internet for that time, perhaps for years. But use of Large Scale NAT (LSN) systems by service providers will cause problems for many applications and one of them is reputation filtering. Many security filtering systems use lists of public IPv4 addresses to identify 'undesirable' hosts on the Internet. As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt."
Domain name != IP address
There's no -1 for "I don't get it."
IP filtering has always been useless from a security standpoint. Same goes for MAC address filtering.
Anyone anywhere can change both easily. Blocking addresses is only a matter of convenience.
This "news" just means that tons of "security" software and filtering hardware (Barricuda, anyone?), is being exposed as the useless, inflexible crap that they are, and the companies behind them are trying to point fingers at large network operators while simultaneously touting their next version, which will have IPv6 support. Maybe. Which totally won't solve the IPv4 issues, but never you mind that.
Keep all your bullshit about NAT saving the world in this thread where it can be ignored by people who actually know what they are talking about please.
Welcome back, Gopher.
NAT is fine for people who only make outgoing connections; i.e. the passive internet consumer.
It's hell for the rest of us, but hey, since when did the massive media conglomerates ever have the techies' interests at heart?
end user customer networks (the ones most likely to go this route) are already on various "mail shouldn't be coming from here" blacklists, and those customers also should be already using the isp's mail servers for outgoing mail.
I assume you're talking about end users connecting on port 25 (MTA-to-MTA communication), not port 587 (MSA-to-MTA). Otherwise, what should people do when the monopoly broadband ISP has unreliable mail servers, or when they're using mail on a laptop temporarily connected to an ISP other than their own?
ISP level nat sucks but I don't think we have a lot of choice.
IPv4 IPs will become a scarce resource and as such will get reallocated from less lucrative customers to more lucrative ones. Whether that allocation will only happen within ISPs or whether it will be allowed to happen between ISPs is unclear at the moment but it is pretty sure to happen.
Those who aren't profitable enough to give a public V4 IP will still need to reach IPV4 only servers and/or use IPV4 only applications (remember apps both client and server have to support v6, not just the OS) for the forseeable future. ISP level NAT is the only way to deliver that.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
remember apps both client and server have to support v6, not just the OS
Really badly written programs.
Seriously. I've written stuff in C with the sockets API that is IPv4/v6 agnostic. It's easy to do; there is no excuse for not implementing it.
I work for an IP reputation company (and am not representing it in this post).
This is not a complicated issue. The LSN portals will merely have to add a tracking header to all mail they process (and block anonymous direct mail if they want to escape DNSBLs' wrath). This is already an issue with webmail (e.g. Google doesn't add the tracking header, so it's MUCH harder to trap spam originating through GMail than it is through providers like Hotmail who do provide this extra tracker).
Use my userscript to add story images to Slashdot. There's no going back.
It's not just spammers. A lot of on-line games, for instance, record the IP address used to log in to a game in the account's history. Customer Support then uses that to help determine eg. whether a claim of a hacked account is valid or bogus. Large-scale NAT is going to mess with that by confusing the record: one computer may appear to be using a different IP address for each login, and multiple unrelated computers can appear to have the same IP address. And with a lot of games moving towards RMT, a hacked account can mean the loss of real money for the player. When CS tells that player "Sorry, the login where the items were sold/transferred came from one of the IP addresses you normally log in from, the problem's on your end." and the player learns that that's because his ISP is NATing their entire network, he's not going to be happy.
More to the point, SMTP hosts will be pretty much forced to do something more productive than blocking via IP, which amounts to group punishment. (Something apparently only tolerated on the internet).
Its sad that the most broken of protocols has this much sway over the net. SMTP needs a ground up re-write, and it will need it just as much (if not more) after IPV6 is deployed.
Sig Battery depleted. Reverting to safe mode.
Seriously, IPv6 is there to replace IPv4. Tell everyone who whines 'tough shit' switch over already. If I have to pay an extra 5 dollars a month for a year to my ISP for that to happen then I would. Just stop trying to extend the life of IPv4 when there is a suitable replacement already available.
My ISP (AAISP) actively encourage IPv4 address exhaustion AFAICT.
They gave me a /29 + a /32 for my router for home use and probably would have given me more if I'd asked. At work I asked for a /28 and got a /27.
They also give out a /48 IPv6 subnet to all customers and instructions for use. They can do IPv6 over PPPoA (this is the UKoGB) natively and provide a IPv6 to 4 tunnel broker for those that need it.
Have a look at your Spam Assassin headers and see that quite a lot of marks are not related to IP address. I have found DNSBLs handy up to now but I think I'll accept that as these lose their efficiency during IP version handover my spamds and MTAs will get a bit more of a battering for a while.
Never mind processing power is pretty cheap.
I have a customer with around 16 million unique IPs trying to get in each week - a spambot net of some sort (Russian and Chinese IP feature a lot). An Exim process is being spawned for each connection along with a spamd and possibly clamd session. The box is a dinky Dell single processor server and it barely breaks a sweat.
Cheers
Jon
Having been intimately involved with spammers over the years I can say that this change will only escalate the ongoing game of use / burn / blacklist / move on. Yes, more poor commercial entities will unknowingly and unwillingly have to call in Wally the IT guy to help them get off some blacklist somewhere so their mail will flow, but in the grand scheme this will not change the processing power of the mail bots or tilt the scales in a significant manor. IMHO.
Really badly written programs.
Or just old programs.
Afaict windows didn't have getaddrinfo until XP (unless you count the version in the IPV6 technology preview for 2K). It's predecessor gethostbyname only supports IPV4. MS does offer a wrapper to help with this but afaict that only helps if you are coding with MSVC[++] (I ended up writing my own wrappers for fpc/delphi, not too hard but definitely extra effort)
Further it seems while windows has wsaasyncgethostbyname there is no wsaasyncgetaddrinfo. So if you want to do a v6 capable name lookup without blocking the rest of your app you have to do it on another thread.
P.S. yes I HAVE implemented code (in delphi style pascal) directly on the low level apis that supported both v4 and v6 and async lookups (by using a thread) and supported older operating systems (by using getprocaddress and my own "v4onlygetaddrinfo" if the getprocaddress fails). I wouldn't exactly call it trivial though.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
My ISP (AAISP) actively encourage IPv4 address exhaustion AFAICT.
It's really not in ISPs interests to conserve IPs at this point. The more IPs they can get out of the RIRs now the more IPs they will have to reuse for more lucrative customers later.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
... lists of public IPv4 addresses to identify "undesirable" hosts ...
Legitimate mail servers will still need an IP address, whether that is IPv4 or IPv6. Their outbound SMTP connections can just use that same IP address. The real issue involves all those end user (broadband and dialup) IP addresses, which more and more will be multiple users sharing them for outbound connections, with no inbound. Make those have zero reputation. Let the IP addresses which are associated with real mail servers have the reputation earned by its behavior.
One big difficulty will be mail servers stuck only on IPv6 trying to deliver mail to those on IPv4, and visa-versa. But this is at least a substantial subset of the IP space. That means it can hold out for a while on IPv4, until enough IPv6 is deployed to make a "mad rush to IPv6 for email" can happen. But in the mean time, those who can do mail exchange between servers on IPv6 will be pretty much spam free, for at least a while. When spammers get on IPv6, then we know IPv6 is "happening".
To encourage IPv6, those who are on it can do things like adding extra goodies to IPv6 users. I do know a lot of porn is already there. Maybe extra features on web sites can be made to work on IPv6, too.
now we need to go OSS in diesel cars
-1 for not even remotely knowing what you're talking about.
But anyway, IPv6 is essentially the same thing as using a longer name. Instead of having only 2^32 addresses, IPv6 has 2^128 addresses. Enough to give every man woman and child on earth a trillion permanent addresses a year for 4.85*10^16 years. (caveat: assuming the population will stay at 7 billion people for 4.85*10^16 years)
Hectice, baby, Mercator says hello to you
authenticated mail (which can be done on port 25, it doesn't have to be 587, but should be these days because of port 25 filtering) is not normally subjected to blacklist filtering, and is thus not affected.
The vast majority of people don't run their own mail servers though, so their mail clients are configured to use their isp's mail server. Again, not affected.
If your isp has unreliable mail service, then find another one --- there is no shortage of options there. For practical purposes, in that case, you're roaming, in which case you have to authenticate to send mail anyhow to bypass the relaying blocks, and thus again, not affected.
As more ISPs deploy LSN systems, the effectiveness of these IPv4 filtering systems will be hurt.
That doesn't follow. The folks in dynamic space (the same space that will be served by LSNs) are already considered spammers when they connect to a non-local SMTP server. The only reason they're scored instead of outright blocked is that there's no rigorous list of what is and isn't a dynamic space. It makes no difference to the server whether it filters a range of IPs or a single IP.
Identifying the individual spammer from an abuse report is slightly more difficult, but only slightly. And if you're behaving like a good net citizen, you probably blocked outbound 25 at the LSN box to begin with so you're not getting any reports because your virus-laden customers aren't able to successfully spam.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
The last time I contacted my ISP about this they told me (again) that they have no plans to implement IPv6.
This was just a few months ago.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
Or non-dedicated game hosting. Wasn't Modern Warfare dependent on users hosting the games themselves? How would that work with NAT?
Dilbert RSS feed
Actually, we will just ban or greatly increase the spam score of anything coming from these NAT pools just like we do today with dialup and consumer broadband IP pools today. People with real servers will continue to have dedicated IP addresses that aren't behind these NAT pools and so we will judge them individually based on reputation (or lack thereof).
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
"Damn you filthy file-sharers! Thanks to you, at my last party I only had seven buckets of blow and forty hookers rather than the ten buckets and sixty hookers that are accepted as an industry-norm for this type of affair. Damn you all!"
for example
Requiem for the American Dream
All of the players will either have:
* an IPv6 address and a (possibly NATed) IPv4 address, or
* an unNATed IPv4 address.
If the entire group of players falls into the same category, then it's a non-issue. If it's mixed, then one of the players in the second category should run the server.
The details are trivial and useless; The reasons, as always, purely human ones.
Pastebin example code or it didn't happen.
Many IT professionals including myself feel that IPv6 is a joke and is unnecessary in most practical scenarios. Arguments I tend to throw out on face value are "why not IPv6?" and "we're running out of IPv4 addresses". Keep NAT'ing IPv4 until the cows come home - no one except tech geeks will really care if we do.
While what you say is true, what you and the other "just switch to IPV6 already" folks seem to be missing out on is if everyone was to switch at noon tomorrow in all likelihood you would be looking at MASSIVE outages, which would go on for weeks if not months. Why? Multiple reasons:
One, thanks to offshoring IT has been a dying field for quite awhile now, with fewer and fewer new blood coming in. What that means is in the flyover states you have most if not all the backbones being run by old guys who haven't kept up on the tech, and from the ones I've talked to most are looking to get out of IT if at all possible. That means the experience just isn't there, it isn't gonna be there, and many will take early retirement or just get out rather than deal with the IPV6 mess. That in turn means things that take minutes to fix in IPV4 will take days in IPV6 simply because nobody knows how to use the new tools.
Two: Infrastructure. There is a hell of a lot of VERY expensive equipment out there that either cannot be upgraded to IPV4, or could be but is no longer "supported" by the OEM, which means a MASSIVE amount of money will have to be spent in a dead economy. Now considering these cableco/teleco duopoly sure as hell ain't gonna take a CEO pay cut, that either means pay for it by gouging the customers even deeper, which in most flyover areas Internet usage is declining thanks to price gouging, or make it up by screwing the workers even harder, which results in number one above. Then add in the fact a good 90%+ of the routers and firewalls and other network devices in consumer homes WILL NOT support IPV6, and in fact most of the routers sold today STILL DON'T support IPv6 and the ones that do are triple price compared to the others, means you are talking MASSIVE amount of eWaste is about to be hitting the environment. You are talking truckloads of routers, modems, all having to be shitcanned. Again this will raise cost that the consumer WILL get stuck with in a dead economy.
So you see, there is a damned good reason that they are gonna string along IPV4 for every last second they can. They will do so because it is gonna be a massive clusterfuck when the switchover comes, with complaining customers because NOTHING in their house works, no IT guys with experience enough to fix even the simplest of problems, and warehouses worth of gear, both dirt cheap and ridiculously expensive, all having to be taken straight to the dump. Frankly it is NOT gonna be pretty, not at all.
ACs don't waste your time replying, your posts are never seen by me.
Until the day when a major ISP implements LSN and then gets blocked. Then they do figure that it's a bad idea.
However most ISP:s are extremely lazy and aren't even considering IPv6 because they are waiting for everyone else to do it.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Ah, you assume actual forwards planning takes place. Let's look at a more cynical scenario:
Techie: We can't grow the network any longer! There's just no space.
Manager: Anything you can do to fix it?
Techie: I can throw together something with NAT in a few weeks, that'll let us keep going, but really we need to move to IPv6. It's going to cost millions to fix.
Manager: But... this NAT thing... that'll fix it? And it's cheap?
Techie: Well, yes, but -
Manager: And it'll let us keep getting new customers?
Techie: Yes, for years, but the long-term consequences for the wider internet -
Manager: Do it. We can't afford millions. I've got shareholder dividends to pay.