Re: NATs as firewalls, cryptography, and curbing DDoS threats.

To: John C Klensin <john-ietf at jck.com>
Subject: Re: NATs as firewalls, cryptography, and curbing DDoS threats.
From: Douglas Otis <dotis at mail-abuse.org>
Date: Wed, 7 Mar 2007 11:32:47 -0800
Cc: ietf at ietf.org
In-reply-to: <60CE910DDDDB9D0C46A7B966@p3.JCK.COM>
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <198A730C2044DE4A96749D13E167AD3701147C80@MOU1WNEXMB04.vcorp.ad.vrsn.com> <60CE910DDDDB9D0C46A7B966@p3.JCK.COM>


On Mar 7, 2007, at 9:01 AM, John C Klensin wrote:

It is true that I tend to be pessimistic about changes to deployed applications that can't be "sold" in terms of clear value. I'm also negative about changing the architecture to accommodate short- term problems. As examples of the latter, I've been resistant to changing (distinguished from adding more features and capability to) the fundamentals of how email has worked for 30+ years in order to gain short-term advantages against spammers.

There will be growing concerns related to abuse when ISPs deploy IPv6 internally and then use IPv4 gateways to gain "full" access to the Internet. Any changes related to controlling abuse should be aimed at identifying entities controlling transmission. Resolving the address using a domain name at least identifies the administrative entity of the client. For example, multimedia streaming has been fraught with security exploits.

As traffic merges into common channels, there will be a desire to minimize cryptographic identifier abuse, in particular for things like DKIM. While there exists an experimental method for a domain to "authorize" a client, this technique represents a significant hazard. This hazard is created by the iterative construction of address lists and the macro expansion of local-part components of a email-address. The inherent capability of this method permits a sizable attack to be stage without expending additional resources of the attacker. In addition, this experimental scheme fails to identify the point of transmission staging the attack.

Those offering outbound services desire that acceptance be based upon their customer's reputation rather than upon that of their stewardship. With the experimental scheme, the administrative entity for the client is not relevant, although essential when guarding against abuse. There are several orders of magnitude more customers than outbound service providers. Guarding against abuse must depend upon a means to consolidate the entities being assessed.

There are millions of new domains generated every day at no cost to the bad actors. When IPv6 becomes more common, the IP address may even exceed a scalable defensive. The long standing practice allowing clients to remain nameless will need to change. For SMTP, the EHLO should resolve. Any authorization scheme should then be based upon a name lookup and not upon a list of IP addresses for thousands of transmitters.

-Doug

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

References:
- RE: NATs as firewalls
  - From: Hallam-Baker, Phillip
- RE: NATs as firewalls
  - From: John C Klensin

Prev by Date: RE: NATs as firewalls
Next by Date: Re: NATs as firewalls
Previous by thread: RE: NATs as firewalls
Next by thread: RE: NATs as firewalls
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: NATs as firewalls, cryptography, and curbing DDoS threats.

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.