So Long v4! Here’s to v6 Being Secure!

June 10, 2010 - 3 Comments

With the continuous flow of varying government regulations surrounding IPv6, I’ve been wondering about the impact on security. Just having addressing support isn’t enough. Lucky for us, today Cisco announced the early availability of cloud-based IPv6 support for the Cisco IronPort Email Security portfolio. Cisco email security customers of all form factors — appliance, cloud and hybrid — are able to send and receive IPv6 emails through the Cisco infrastructure. Customers so far are very pleased.

The continuous growth of the Internet requires that its overall architecture evolve to accommodate new technologies to support the growing numbers of users, applications, appliances, and services. As per Cisco and industry estimates, the IPv4 address space will be exhausted in the next two years. This will cause every organization to face the inevitable transition from IPv4 to IPv6.

In recent months, Cisco Security Intelligence Operations (SIO) has witnessed a rise in criminal activity on IPv6, particularly as sources of email threat messages and in channels used by botnet command-and-control infrastructure.

In 2008, Time Magazine was hosting its 100 Most Influential People of the Year award. To provide legitimacy and deter users from ballot stuffing, Time created a system whereby each IP address received one vote. The hacker team that pushed the winner, Moot, to the top of the charts faked out the system by using an IPv6 address that didn’t work with the application. Although this hack was acknowledged by Time and was not harmful, it still shows that security is a critical aspect of deploying IPv6 protocol.

While the threat volume to date has been relatively low, Cisco SIO expects this trend to only continue as IPv6 implementation increases. As the backbone of Cisco’s threat collection and correlation system, Cisco SIO is investing to expand our reputation scoring for IPv6 traffic. One of Cisco’s first layers of threat defense is reputation filtering. Reputation filtering looks at the IP address of the incoming mail message and rates it on a scale of plus or minus ten representing IP trustworthiness. For Cisco customers, it will not matter whether the address is IPv4 or IPv6, since all addresses will be treated the same, with no tuning required by the email administrator. Investments are already underway to fully build out the IPv6 SenderBase Reputation Scoring (SBRS).

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. I agree with Steve, we have received way too many complaints from our clients about Cisco’s Ironport blocking legitimate email to their customers… SenderBase/Cisco Ironport doesn’t offer any way to resolve the issues with their system, soall we can tell them is to advise their customers to get a different product for scanning their email. Cisco need to do like AOL and others and allow mail administrators to register for alerts when a complaint is received, instead of just saying “a complaint was received” and there is no information about it. We have NO RBLs but Cisco’s product doesn’t care about “real reputations”.

  2. An outbound email server IP will have a poor reputation if we have received a number of complaints against it. These complaints are likely the result of a recent virus/malware/trojan infection in the sender’s network. Once the issues are resolved, the reputation of the IP should begin to improve automatically and, in time, email from that domain will no longer be treated as spam. Since we publish a reputation score and not a pure black list, the speed of recovery of an IP’s reputation depends on many factors including the time passed since the last spam report and the ratio of spam to total email volume originating from this IP.

  3. Ironport is killing legitmate email. A briefly infected machine sent spam, my network was rbl’d, we fixed the problem and cleared up the rbls However cicso/senderbase leaves no method of changing my networks
    eputation””senderbase has no information, cisco claims its not them. I was told by cisco to get in touch with everyone my company emails and get them to whitelist us in their ironports. HAH! I can’t email cisco because they use ironports and block my ip based on my “”poor”” reputation.This is a serious issue that cisco needs to resolve before network owners realize their ironports are just expensive doorstops.Do a google search and see the problems you’ve caused without any redress”