Re: [ietf-privacy] [Int-area] NAT Reveal / Host Identifiers

Eliot Lear <lear@cisco.com> Mon, 09 June 2014 20:19 UTC

Return-Path: <lear@cisco.com>
X-Original-To: ietf-privacy@ietfa.amsl.com
Delivered-To: ietf-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6127D1A02F2; Mon, 9 Jun 2014 13:19:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.152
X-Spam-Level:
X-Spam-Status: No, score=-10.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0S-Gqp-NJkFN; Mon, 9 Jun 2014 13:19:54 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECE721A0300; Mon, 9 Jun 2014 13:19:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1128; q=dns/txt; s=iport; t=1402345194; x=1403554794; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=w0KDg57jFBr0aiYdSrqdOhmn48Joy0jkAYbC+WmdhLo=; b=T24cDLXM3uIx6y1E6xxY/zpmBBgXgJK170pv11iPLmi5Q8TeWg5kbvIO IQNdJVjrpHPLQ13s8zZhhy9V7duyO1W9Tz+gtme7DdfOwkOqIvVK80HUa Um/AF5Pmr9p3L95KNgp5IREbfrSZ0fKrMnuRQ0DJHDLTVBqdiH0BgixGI k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AnIKAJQVllOtJssW/2dsb2JhbABZg1+DRad1AQEBAQEBBQGZEAGBKHWEAwEBAQQjVQEQCxgCAgUWCwICCQMCAQIBRQYBDAEFAgEBF4gnrC6fGReBKoQziD4BAU8HgnWBTAEDmiGTRYM+O4E5
X-IronPort-AV: E=Sophos;i="4.98,1003,1392163200"; d="scan'208";a="80500714"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP; 09 Jun 2014 20:19:52 +0000
Received: from ELEAR-M-C3ZS.CISCO.COM ([10.61.201.68]) by aer-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id s59KJpBa028030; Mon, 9 Jun 2014 20:19:51 GMT
Message-ID: <539616E7.6060305@cisco.com>
Date: Mon, 09 Jun 2014 22:19:51 +0200
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Ted Lemon <ted.lemon@nominum.com>
References: <E87B771635882B4BA20096B589152EF628724B2C@eusaamb107.ericsson.se> <539016BE.3070008@gmx.net> <53906711.5070406@cs.tcd.ie> <5390CEC9.3000005@isi.edu> <5D2CC7D6-D9E1-49A8-818C-5FB33DC283C0@cisco.com> <5393119F.6050805@cs.tcd.ie> <5395E195.4080007@cisco.com> <C920E9AB-A1F5-4BEB-9573-299D43596367@nominum.com> <539614C9.9050308@gmail.com>
In-Reply-To: <539614C9.9050308@gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-privacy/8r-87P2nZ_uWRh-an8GcBXAFsM8
Cc: "ietf-privacy@ietf.org" <ietf-privacy@ietf.org>, Internet Area <int-area@ietf.org>
Subject: Re: [ietf-privacy] [Int-area] NAT Reveal / Host Identifiers
X-BeenThere: ietf-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Internet Privacy Discussion List <ietf-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-privacy/>
List-Post: <mailto:ietf-privacy@ietf.org>
List-Help: <mailto:ietf-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-privacy>, <mailto:ietf-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jun 2014 20:19:56 -0000

Just to be clear: that was SMTP.  The calculus can be different for
other protocols, depending on their end to end nature.  SMTP is very hop
by hop and it is very difficult to secure an entire path with confidence
due to downgrade attack threats.  https would be a horse of a different
color.

On 6/9/14, 10:10 PM, Brian E Carpenter wrote:
> On 10/06/2014 04:43, Ted Lemon wrote:
>> On Jun 9, 2014, at 12:32 PM, Eliot Lear <lear@cisco.com> wrote:
>>> But does adding a header solve the problem?  Not unless it is signed AND I believe the signature.  And then I had better be willing to spend the processing time to sort out your good customers from your bad customers.  I might do that if you're at a very big mail service provider, in which case I probably get very little spam, anyway.  I probably won't do that if you're Joe's small time ISP, unless there is some scaling feature not yet deployed today.
>> Bingo.
> So, there are some more components of the threat analysis and the solution
> requirements. That's good, but I thought we were discussing whether
> to document the use cases.
>
>    Brian
>
>