IETF Logo Mail Archive

Re: IP-based reputation services vs. DNSBL (long)

TS Glassey <tglassey@earthlink.net> Tue, 11 November 2008 17:55 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EFB4D3A6813; Tue, 11 Nov 2008 09:55:12 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B6193A67FB for <ietf@core3.amsl.com>; Tue, 11 Nov 2008 09:55:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8blvOLX+VYgQ for <ietf@core3.amsl.com>; Tue, 11 Nov 2008 09:55:11 -0800 (PST)
Received: from elasmtp-junco.atl.sa.earthlink.net (elasmtp-junco.atl.sa.earthlink.net [209.86.89.63]) by core3.amsl.com (Postfix) with ESMTP id 187A83A635F for <ietf@ietf.org>; Tue, 11 Nov 2008 09:55:11 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=AF5MZU5RCCFCI8G+wwH4pfrZ3W4evaFoGjgWc1Li6fRelcvVftV+xECq/wS0Pvjs; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Received: from [64.125.79.23] (helo=[192.168.0.32]) by elasmtp-junco.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <tglassey@earthlink.net>) id 1KzxSH-0005D2-5q; Tue, 11 Nov 2008 12:55:09 -0500
Message-ID: <4919C6FA.909@earthlink.net>
Date: Tue, 11 Nov 2008 09:55:06 -0800
From: TS Glassey <tglassey@earthlink.net>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: Keith Moore <moore@network-heretics.com>
Subject: Re: IP-based reputation services vs. DNSBL (long)
References: <49172BCE.2000705@network-heretics.com> <alpine.LSU.2.00.0811111711310.14367@hermes-1.csi.cam.ac.uk> <4919C264.4000209@network-heretics.com>
In-Reply-To: <4919C264.4000209@network-heretics.com>
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec795f0e8f3dca9ed41c144178eb6a466a51350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 64.125.79.23
Cc: IETF <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org


Keith Moore wrote:
> Tony Finch wrote:
>   
>> On Sun, 9 Nov 2008, Keith Moore wrote:
>>     
>>> It is worth repeating that just because the notion of a reputation
>>> service has value, and such services are widely used, does not imply
>>> that using IP addresses as identifiers or the DNS protocol as a means of
>>> transmitting reputation are technically sound.  There is reason to doubt
>>> both of these assumptions, and there is no evidence that these design
>>> questions have been given due consideration and resolved - as our
>>> process would normally require.
>>>       
>> Could you give us a reference to an explanation of why the DNS might not
>> be a sound choice of protocol for reputation services?
>>     
>
> My concerns are along the following lines:
>
> 1. suitability of the DNS data and query model.  right now this protocol
> essentially communicates one bit of information to be used in a decision
> - i.e. whether the address or domain name is good or bad.  I suspect
> that more information is needed to really make a good reputation
> service.  I have doubts about whether DNS lends itself to including that
> much information.  (It also bugs me that multiple queries are required
> to  get the information necessary to perform a bounce/relay decision and
> to bounce a message... granted that this is a flaw in the DNS protocol
> design but using DNS for unintended purposes exacerbates the problem)
>   
I agree - these Identity Protocols need to be stronger meaning that 
UDP/IP transports are by their very capability, not the right animal IMHO.
> 2. this is a very different use case than DNS was intended to address,
> and implicit and explicit assumptions in the DNS design might not hold
> for this case.  e.g. assumptions about how long information remains
> valid and how widely it should be replicated.
>   
Agreed. And again - the design of UDP based DNS is unacceptable for this.
> 3. security.  it might be that mechanisms already defined or used with
> DNS (DNSSEC, source port randomization) are adequate, but I'd like to
> see more analysis done.
>   
For moving DNS resolutions possibly but NO credible security expert has 
been willing to sign off on the trust-model that DNSSEC uses...
> 4. effects of DNS caching.  if a host is removed from a blacklist it
> should arguably be removed from all caches instantly, but DNS isn't
> designed to facilitate that.  

The use of the term "SHOULD" here has legal implications - since many of 
these hosts were put into the BL's by Address Spoofing they were in fact 
NOT where the offensive SPAM was coming from and so placing those hosts 
there when the real issue is the refusal of the EMAIL Admin to do proper 
Header Filtration and Validation creates a direct liability.

I assure you RBL.ORG doesnt have enough money to pay a lawyer for a 
damage claim against it for its actions in 'putting in place a method 
and process specifically to prevent the addresses misrepresented in 
fraudulent headers, to the RBL.

> again, blacklisting someone else's IP
> address is a different use case from managing the addresses associated
> with your own hosts.  

YEP!
> If you manage your own hosts' DNS RRs then you can
>  tailor your operations to accommodate changes in DNS records, and you
> can (at least in theory) adjust your TTLs in advance of any changes to
> minimize the potential for disruption when you do need to change things.
>
> 5. slippery slope.  DNS is a vital service, and one that is very
> difficult to replace.  It needs to remain focused on a narrow goal.  The
> more we overload DNS, the more we threaten to add complexity that will
> make it more fragile.
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 11/10/2008 7:53 AM
>
>   
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

v2.46.0 | Report a Bug | By Email | System Status