IETF Logo Mail Archive

Re: [ietf-smtp] Endless debate on IP literals

Keith Moore <moore@network-heretics.com> Fri, 03 January 2020 04:33 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BDB61200B4 for <ietf-smtp@ietfa.amsl.com>; Thu, 2 Jan 2020 20:33:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z9i7WjKBkLAG for <ietf-smtp@ietfa.amsl.com>; Thu, 2 Jan 2020 20:33:37 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E316812003E for <ietf-smtp@ietf.org>; Thu, 2 Jan 2020 20:33:36 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id D903A2217D; Thu, 2 Jan 2020 23:33:35 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Thu, 02 Jan 2020 23:33:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=sbEGg5oVei8vHX8E9BouG7xzBXBMM7BhMPS3L7jqV Ok=; b=ygZ43XSoppZF83e8y9MleGSrjv4qTa1dcYC5DAS/p/d9I+9ytu3NLNXj8 wqIjCPT3+LE6VRBTL4WQsbK5KPULnudTri2R9O16FJV/FQhFIe6UUE6llTRgDHKo m0VbmvVvRadFYRJ1alPTc6k8zRuOhABQF6Mz4JZwp1GmOiJosEqYKbwUWHcMlNeX OecfUcLeT6pfE3KqyUftsYAyokunbqocwwTrgvECqzGOpCG2KO+8N0UAZKJBL0h3 VHFNLqZgt+v5xOgNix+6cPsGBBjX4/MwRA9ZX1SL++Qcg7akEnJK6N1dtmwWVJYd feqHrzMNajEnl4rTEERNKQUuVhr/Q==
X-ME-Sender: <xms:H8QOXmmfDSrBHz0y0GseAkTqv2mKErb-CBTL4qocFpM8-jpNjP7DlA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrvdegvddgieelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepuffvfhfhkffffgggjggtgfesthekredttdefjeenucfhrhhomhepmfgvihht hhcuofhoohhrvgcuoehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh eqnecukfhppedutdekrddvvddurddukedtrdduheenucfrrghrrghmpehmrghilhhfrhho mhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgvthhitghsrdgtohhmnecuvehluhhsth gvrhfuihiivgeptd
X-ME-Proxy: <xmx:H8QOXpxL_qBN56WPF_fv8_fWlfsw6gD5KCQLRz0wQJCHjOuvhDScyA> <xmx:H8QOXnt2lZ3NhDBGILAuDwNjaxgEc1Sobx6LoX6gWYhesNkoFsHq5g> <xmx:H8QOXl-kSXTBosk5b-D73AlA2tLK46Ts_OvWQfBHf_unYzv24gkEmw> <xmx:H8QOXi6aU6SYzwk7lr64uJmUofGj4ac7cQHciZdOe0tuRf_Ng49Log>
Received: from [192.168.1.97] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id 2F4BE30600A8; Thu, 2 Jan 2020 23:33:35 -0500 (EST)
To: Ned Freed <ned.freed@mrochek.com>
Cc: ietf-smtp@ietf.org
References: <20200101183846.38F7811E2E72@ary.qy> <64f30fa9-ab2a-fe48-f324-426ed48b7091@network-heretics.com> <20200101193816.GP73491@straasha.imrryr.org> <b3f0f5d9-a433-b83a-b032-b726ddd8919a@network-heretics.com> <01RFPO42TK1E000059@mauve.mrochek.com>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <c4864d26-9c54-fa6c-a844-2a6337aa8fa5@network-heretics.com>
Date: Thu, 02 Jan 2020 23:33:33 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <01RFPO42TK1E000059@mauve.mrochek.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/oziQ64An0PTqu2UitWMq3fzpWcI>
Subject: Re: [ietf-smtp] Endless debate on IP literals
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 04:33:40 -0000

On 1/2/20 10:30 PM, Ned Freed wrote:
>
>> Are we going to specify port 25 for pre-submission and only use 587 for
>> "real" submission?   (and see another message about IP address
>> authentication)
>
> I didn't think it was possible to do worse than the awful airport term
> "pre-board" - which, as George Carlin noted, means to "get on before 
> you get
> on".
>
> It seems I was wrong.

(I always used to wonder about Dulles airport when they still used the 
"mobile lounges"... did you have to pre-pre-board those?)

>> Not saying I like or dislike the idea - it strikes me that it might be
>> the right answer but something still seems odd about it.
>
> There's absolutely no question that SUBMIT, as presently defined is 
> useless if
> not actively inimical to a lot of IOT usage. But I don't think a 
> precursor
> step to SUBMIT is the answer, no matter what you call it. Rather, it's
> a submission service with a different profile.

Offhand, I think I'm fine with that.

> And I'm afraid everyone is going to have to accept authorization by IP 
> as a
> possibility, which, assertions to the contrary notwithstanding, scales 
> just
> fine to cover tens of thousands of nodes at a minimum.
I never said it didn't scale.   I said it's too easy to defeat.   Or 
maybe the "submission service with a different profile" needs to do some 
serious rate limiting to keep it from being used to inject too many 
messages into the system.
>> TLS is somewhat problematic for various reasons.   For devices not
>> connected to the public Internet, updates are harder, including updates
>> to the list of trusted CAs (since old certs will have expired).   Also
>> for machines that don't do DNS, TLS is still possible to use, but the
>> client needs to know separately what name to use for certificate
>> verification.   (Then again, last time I tried to write a HTTP client
>> for a PIC32- only two years ago- the available TLS library didn't even
>> have certificate verification support, in other words, it was nearly
>> useless for security purposes.)
>
> (I have no experience with the PIC32, but FWIW the situation with the 
> ESP32 is
> better than what you describe.)

I haven't wrestled with one of those yet.   (On the PIC32 project I gave 
up after a month and put everything on an ARM-linux platform, which 
brought with it a completely different set of security issues of course.)

> But this walks around the bigger problem, which is handling
> certificate/key/password rotations and updates at scale. The tools
> I've seen for this so far fail to impress.

My working assumption is that the larger number of IP appliances on 
industrial networks simply don't get updated, in any form, during their 
working lifetimes.    But it's hard to generalize because there are so 
many different industries with different ideas of standard practice.

>> But I think challenge-response based on hashed passwords might be
>> sufficient for purpose.
>
> The idea of using an actual PAKE does have it's attractions, although 
> the best
> hash-only mechansism are probably sufficient. But there's still the 
> password
> management problem.

Yes.

>
>> Yes, but RFCs do influence how-to guides, MTA documentation and
>> configuration settings, and IoT device setting screens.
>
> Exactly. This is why the business about removing support for IP 
> literals from
> "relay SMTP" worries me: It could easily lead to servers being written 
> with the
> capability removed entirely. So if you're going to do this, it needs 
> to be done
> in a separate profile document (or whatever you want to call it).

Agree.

>> > Well, authentication requires credential management, ... so means for
>> > example devices joining Kerberos domains, or manually provisioned with
>> > passwords, ... For which the standards are much more diverse than 
>> SMTP.
>> > If you're concerned about the complexity of configuring SMTP, then you
>> > really don't want to contemplate securing the network.
>
> And flipping it around: You're not going to come up with a competent 
> service
> profile without understanding cloud security mechanisms.

Good point.   Because of course there's a widespread expectation that 
I*oT devices should talk to services in the cloud.  (I hope the "must 
use cloud" idea is a passing fad, it leads to a lot of shortsighted 
decisions.)

Keith

v2.23.0 | Report a Bug | By Email