IETF Logo Mail Archive

Re: [dispatch] Proposal for scantxt; scanning opt-in/out, identification, verification, notification, and reporting

John R Levine <johnl@taugh.com> Sun, 04 December 2022 20:28 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7E4C14F613 for <dispatch@ietfa.amsl.com>; Sun, 4 Dec 2022 12:28:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=W47t3yte; dkim=pass (2048-bit key) header.d=taugh.com header.b=CmSRqX2F
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0YTXGaMaI9Tp for <dispatch@ietfa.amsl.com>; Sun, 4 Dec 2022 12:28:25 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAF76C14F607 for <dispatch@ietf.org>; Sun, 4 Dec 2022 12:28:25 -0800 (PST)
Received: (qmail 21309 invoked from network); 4 Dec 2022 20:28:22 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=533a.638d02e6.k2212; bh=kCiZNO6u5tFJ1QN3HehnmDMcp3GaCTAqZ49zYgSzrKs=; b=W47t3yte798vsE/XJoZANO0phFwghU1pMv7+oLyK1xy7cr4J5cpjZZr4JxU3B7c7C2g2IJ3c5COOkd5w4Xw22jWK2smulAuTTfa8FIdHdY+DirxJvDmAq0wdyHpRvHP3Y8Z8gxx10zO3FknMLpXjHHbBXGOzNv6UaNslmbh2KUp1i0I/f5uFkSdFwQWPd8VQPVs9TgA7VWYwFTy6JgsBaexWuM3hh4hZiVKpDIM1RVfUOucm9img/rC6QqxiG2JhT+hxJU6VVz8ciHqfqXV79qsH45u8KcFvF5s3GIM5WqJ+ImyhhRJEyTcwfEwPybqDOcR879z0WE++w6JxnOXfVQ==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=533a.638d02e6.k2212; bh=kCiZNO6u5tFJ1QN3HehnmDMcp3GaCTAqZ49zYgSzrKs=; b=CmSRqX2FVfUqBFcaikX2ycgrRBEfyr0b7swss6gQREKJMCV0zjNzCylOGWt0z0M3xAYgfLW4clYnGlc4Rzdkg/+mEjDkUr+IO3WET8qkZHVs9jvleL/EvjMetr0ho41ihqxzwUGhvNOMoPmmdLwB/K2IpI6HnfuAEAKb041EiM8NPMJc5N3tUntc8k2sGkcZ0KAiv9cEISvAJEbMXLi7LRxKzbzkE0sAGt4EY03Gln7uzoekYcT0VDD86oL9iV0bpddl4Y70NO/Molka5o2n5n+qd5+IzBJCM5tVXV54c3kUB2mnkGv2R+9cqgoWo/4gj5haPBrcluRGYQUVadJJpg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 04 Dec 2022 20:28:22 -0000
Received: by ary.qy (Postfix, from userid 501) id A03E6508BB20; Sun, 4 Dec 2022 15:28:21 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 1FF5F508BB02; Sun, 4 Dec 2022 15:28:21 -0500 (EST)
Date: Sun, 04 Dec 2022 15:28:21 -0500
Message-ID: <1d749900-4737-92a1-8205-2a13581e39c1@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Ollie IETF <ietf@olliejc.uk>
Cc: Dispatch WG <dispatch@ietf.org>
X-X-Sender: johnl@ary.qy
In-Reply-To: <7iqzN8LGbQYpGu51OESQZnHLQMGzpFHGiJgPTLySkLkHa5jw-wAVKyOnWrCoJchviAmNOAfQSZnyoGR3QTZDPFWV2wZQJQgaRaNz5Dd-qJw=@olliejc.uk>
References: <20221204051320.0FF0650855F1@ary.qy> <-Qj162OnP3i43R95dL09E0OpifUzGvXqwTWEE8n14tndS8OQ902nGVvUTizxttYYEdamlyG54XdgeJCyFfntI8UJnVPbPRTvJk3VL_PMgqU=@olliejc.uk> <059faafd-80b2-66c0-7d8d-0087220f92ab@taugh.com> <7iqzN8LGbQYpGu51OESQZnHLQMGzpFHGiJgPTLySkLkHa5jw-wAVKyOnWrCoJchviAmNOAfQSZnyoGR3QTZDPFWV2wZQJQgaRaNz5Dd-qJw=@olliejc.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/i5fTHzQAVQhgGo_8GcFWbkR34Go>
Subject: Re: [dispatch] Proposal for scantxt; scanning opt-in/out, identification, verification, notification, and reporting
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Dec 2022 20:28:30 -0000

> I consider allowing/identifying via IP to be quite dated, prone to spoofing and network attacks (BGP hijacking) and requires effort to maintain and make people aware of the source IPs (and I'd argue IPv6 adoption makes it harder).
> Adding a token of some sort makes the source IP agnostic ...

If you're going to do that, please explain how you plan to add a token to 
SMTP, FTP, Telnet, SSH, SMB, and the RPC that NFS uses, and persuade 
people to update their dusty servers to look for the token.  If you're 
just scanning http and https, we have robots.txt for that.

> That said, I do suggest a standard way to indirectly identify via IP:
> Source IP -> PTR "_scanner.*" (where this also has the "scanner" TXT record) -> A/AAAA of Source IP

Even with a static IP, getting PTR records installed is hard, getting PTR 
records that don't mirror A records is harder, and the amount of rDNS that 
is DNSSEC signed to make it spoof resistant rounds to zero.  This 
continues to be very unrealistic.

R's,
John

v2.23.0 | Report a Bug | By Email