Yes, we have no IP addresses, we have no addresses today

We’ve just about run out of the Internet equivalent of a natural resource – IP addresses.

ICANN allocated the last couple of blocks of general usage IPv4 addresses to APNIC earlier today.
There are just five usable blocks of addresses left, and they’re reserved by IANA policy for the final phase of IPv4 exhaustion, one for each RIR.
Like any other resource that’s been strip-mined to depletion that doesn’t mean that IP addresses are completely unavailable – there are still some in the delivery pipeline (the regional internet registries who handle allocation of addresses), ISPs have stockpiled addresses they don’t really need yet in anticipation of the exhaustion, and we can still recycle the addresses we’ve already got.
But there won’t be any new IPv4 addresses available.
What does that mean to you?
It’s going to affect your business in lots of ways over the next few years. And delaying thinking about it will just make it more expensive and more painful once you’re forced to pay attention.

IPv4 addresses are increasing in price
You’re going to find it increasingly difficult to get assigned new ones. It’s long past time to stop thinking of them as “effectively free”.
You’re going to need IPv6 production deployments fairly soon, and we’re well past the point of “it’s cheaper to wait, so that our vendors can do the IPv6 work that’s needed”. Delaying putting IPv6 prototypes into the field is going to get increasingly painful and expensive.
If your CTO and CFO are not concerned about this yet, they should be.
Stop wasting addresses
Dedicating even a single IP address to a customer is wasteful, if you don’t need that to handle the volume of email sent. You should be signing all your mail with DKIM today and building domain based reputation for your customers, as IPv4 based per-customer reputation is going away.
As you grow and gain more customers you’re going to have to start sharing v4 addresses between customers, which will share their IPv4-based reputation.
And fairly soon, you’ll want to start sending mail over IPv6 to some destinations. Odds are good that per-customer IPv6 reputation isn’t going to happen much. There’ll be some broad IPv6 based reputation to distinguish your outbounds from spammers and botnets, sure, but IPv6 based reputation down to a per-customer level isn’t something you’re likely to see much benefit from.
Assigning multiple IPv4 addresses to a single customer is ridiculously wasteful. You’re going to want to engineer away from any need to do that – and have your sales staff stop promising it – so that you can recycle those precious, precious IPv4 addresses for use elsewhere by other customers.
Your recipients are moving to IPv6
Big consumer access ISPs are some of the biggest consumers of IP addresses. They’re likely going to be moving to native IPv6 for end-users, combined with some sort of v6-to-v4 translation before anyone else.
That means that your web users, from home and mobile devices, will be trying to reach you via IPv6 sooner rather than later. Native v6 will mostly work better than v6-to-v4. So you want to be thinking about v6 access soon.
Have you got v6 space assigned from your ISP(s) yet? No? Ask them for it this week.
Do you have plans for making your image and click-tracking webservers v6-aware?
Everything you do with IPv4 you need to be able to do with IPv6
Does your address list management support tracking signups and confirmations from IPv6 users as well as IPv4?
Can you track opens and click throughs from IPv6 users?
How about reporting? Does your database and reporting engine support IPv6 addresses? Can you do geolocation for IPv6 addresses?
Does your smarthost vendor support preferentially routing mail via IPv6?
IPv6 is an opportunity
What would you do if someone were to offer you dedicated MX machines at Yahoo, Google and Hotmail. Machines that were much the same as their primary MXes, but lightly loaded with much more available capacity. How much would you be prepared to pay for access to them?
Sooner or later there’ll be IPv6-only MXes at those, and other ISPs. Will you be ready to use them?
Do your competitors offer an IPv6-ready system yet? How much of a business disadvantage will you be at once they do?
And finally
None of this is new. You’ve known for years that you need to be more frugal with IPv4 addresses and have dual-stack IPv6-capable services.
But it’s getting urgent.

Related Posts

Clicktracking 2: Electric Boogaloo

A week or so back I talked about clicktracking links, and how to put them together to avoid abuse and blocking issues.
Since then I’ve come across another issue with click tracking links that’s not terribly obvious, and that you’re not that likely to come across, but if you do get hit by it could be very painful – phishing and malware filters in web browsers.
Visting this site may harm your computer
First, some background about how a lot of malware is distributed, what’s known as “drive-by malware”. This is where the hostile code infects the victims machine without them taking any action to download and run it, rather they just visit a hostile website and that website silently infects their computer.
The malware authors get people to visit the hostile website in quite a few different ways – email spam, blog comment spam, web forum spam, banner ads purchased on legitimate websites and compromised legitimate websites, amongst others.
That last one, compromised legitimate websites, is the type we’re interested in. The sites compromised aren’t usually a single, high-profile website. Rather, they tend to be a whole bunch of websites that are running some vulnerable web application – if there’s a security flaw in, for example, WordPress blog software then a malware author can compromise thousands of little blog sites, and embed malware code in each of them. Anyone visiting any of those sites risks being infected, and becoming part of a botnet.
Because the vulnerable websites are all compromised mechanically in the same way, the URLs of the infected pages tend to look much the same, just with different hostnames – http://example.com/foo/bar/baz.html, http://www.somewhereelse.invalid/foo/bar/baz.html and http://a.net/foo/bar/baz.html – and they serve up just the same malware (or, just as often, redirect the user to a site in russia or china that serves up the malware that infects their machine).
A malware filter operator might receive a report about http://example.com/foo/bar/baz.html and decide that it was infected with malware, adding example.com to a blacklist. A smart filter operator might decide that this might be just one example of a widespread compromise, and go looking for the same malware elsewhere. If it goes to http//a.net/foo/bar/baz.html and finds the exact same content, it’ll know that that’s another instance of the infection, and add a.net to the blacklist.
What does this have to do with clickthrough links?
Well, an obvious way to implement clickthrough links is to use a custom hostname for each customer (“click.customer.com“), and have all those pointing at a single clickthrough webserver. It’s tedious to setup the webserver to respond to each hostname as you add a new customer, though, so you decide to have the webserver ignore the hostname. That’ll work fine – if you have customer1 using a clickthrough link like http://click.customer1.com/123/456/789.html you’d have the webserver ignore “click.customer1.com” and just read the information it needs from “123/456/789.html” and send the redirect.
But that means that if you also have customer2, using the hostname click.customer2.com, then the URL http://click.customer2.com/123/456/789.html it will redirect to customer1’s content.
If a malware filter decides that http://click.customer1.com/123/456/789.html redirects to a phishing site or a malware download – either due to a false report, or due to the customers page actually being infected – then they’ll add click.customer1.com to their blacklist, meaning no http://click.customer1.com/ URLs will work. So far, this isn’t a big problem.
But if they then go and check http://click.customer2.com/123/456/789.html and find the same redirect, they’ll blacklist click.customer2.com, and so on for all the clickthrough hostnames of yours they know about. That’ll cause any click on any URL in any email a lot of your customers send out to go to a “This site may harm your computer!” warning – which will end up a nightmare even if you spot the problem and get the filter operators to remove all those hostnames from the blacklist within a few hours or a day.
Don’t let this happen to you. Make sure your clickthrough webserver pays attention to the hostname as well as the path of the URL.
Use different hostnames for different customers clickthrough links. And if you pick a link from mail sent by Customer A, and change the hostname of that link to the clickthrough hostname of Customer B, then that link should fail with an error rather than displaying Customer A’s content.

Read More

The view from a blacklist operator

We run top-level DNS servers for several blacklists including the CBL, the blacklist of infected machines that the SpamHaus XBL is based on. We don’t run the CBL blacklist itself (so we aren’t the right people to contact about a CBL listing) we just run some of the DNS servers – but that means that we do get to see how many different ways people mess up their spam filter configurations.
This is what a valid CBL query looks like:

Read More

My ISP might get blacklisted

The last of seven in our occasional series on why ESPs need, or don’t need, lots of IP addresses to send mail properly.

Read More