What to improve? BCP-38/SAC-004 anyone?
"Patrik Fältström " <paf@frobbit.se> Thu, 31 December 2015 05:16 UTC
Return-Path: <paf@frobbit.se>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABEE41A6FDC for <ietf@ietfa.amsl.com>; Wed, 30 Dec 2015 21:16:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.739
X-Spam-Level:
X-Spam-Status: No, score=0.739 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zyEVAA9b3KJk for <ietf@ietfa.amsl.com>; Wed, 30 Dec 2015 21:16:44 -0800 (PST)
Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F228A1A6FDA for <ietf@ietf.org>; Wed, 30 Dec 2015 21:16:43 -0800 (PST)
Received: from [192.71.80.208] (vpn-client-208.netnod.se [192.71.80.208]) by mail.frobbit.se (Postfix) with ESMTPSA id 9B2221FD73 for <ietf@ietf.org>; Thu, 31 Dec 2015 06:16:41 +0100 (CET)
From: Patrik Fältström <paf@frobbit.se>
To: ietf@ietf.org
Subject: What to improve? BCP-38/SAC-004 anyone?
Date: Thu, 31 Dec 2015 06:16:40 +0100
Message-ID: <7664F94E-F7A6-4556-B1E6-2DE536A7B7FC@frobbit.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.3r5187)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/bVfhNRpq4kqJLtTrrpibG0Dc6lM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Dec 2015 05:16:45 -0000
Jari, Thank you for the blog post, and of course as co-chair of the ICG working on the IANA Transition I fully support and want to emphasize your last bullet, that we need to finalize the IANA transition, finally. But, I want to mention one detail you might have hidden in one of your other bullets, although not explicitly, and that is one we in the Security and Stability Advisory Committee of ICANN where I am chair have been struggling with for years, and that is source address validation (for IP addresses that is). In the IETF there is the well known BCP-38 that for various reasons is questioned, although "implement BCP-38" is a statement used for "do whatever is needed". In SSAC we already in 2004 created SAC-004 <https://www.icann.org/en/system/files/files/sac-004-en.pdf> about "Securing the Edge". The main author of SAC-004, Paul Vixie, and others have after that written numerous other documents on the same topic. Baseline is, we must do something about it. For some definition of "we" and some definition of "something". This is of course related to what Fred Baker brought up, that we do have some tools, but they are not deployed. And if they are deployed, they are not deployed to the degree and quality needed to give the intended effect. We do have internationalized email addresses, we do have DNSSEC, we do have IPv6, we do have...but how much of this is deployed? I am sorry to say I see even here on this list many people not using technologies they argue about. If I take things I have some clue about, I think, DNS, and check the domain names used for the conversation, neither DNSSEC, nor IPv6 or any other by the IETF after RFC1035 invented technology that is DNS related is in use. By the very same engineers discussing how to move standards forward. Is that a sign, or at least indication? Back to the source address validation issues. That the edge can source IP packets with fake source IP addresses is a problem. It is, I claim, the by far largest problem we have today. Is this connected to the fact that not even people developing standards use very same standards? Has the IETF ended up being too academic and lost connection to what is actually deployed? Sure, this gap between what is developed in the IETF and what is deployed has always existed. Existed when I started be wg chair, continued when I was an AD, continued even more when I was on IAB, and later ISOC BoT, and now SSAC Chair. And some of the RFCs I have written has been excellent examples of standards never taking off(!). So yes, I blame myself for not having answers to my own questions. If I had, I would have pushed for the answers. I have at least myself working(?) PGP, DNSSEC, IPv6, NAPTR and many other things. I.e. I am, I claim, eating my own dog food. But, is the taste of our own food so bad we do not eat it ourselves? If so, how can we make others eat it? At least some flavor of BCP-38? Because that is really really the largest issue we have today. With this, all the best for a successful 2016! Patrik Fältström
- What to improve? BCP-38/SAC-004 anyone? Patrik Fältström
- Re: What to improve? BCP-38/SAC-004 anyone? Leif Johansson
- Re: What to improve? BCP-38/SAC-004 anyone? tom p.
- Re: What to improve? BCP-38/SAC-004 anyone? Patrik Fältström
- Re: What to improve? BCP-38/SAC-004 anyone? Kathleen Moriarty
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? Leif Johansson
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? joel jaeggli
- Re: What to improve? BCP-38/SAC-004 anyone? Steve Crocker
- Re: What to improve? BCP-38/SAC-004 anyone? Brian E Carpenter
- Re: What to improve? BCP-38/SAC-004 anyone? joel jaeggli
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? John Levine
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? Michael Richardson
- Re: What to improve? BCP-38/SAC-004 anyone? Michael Richardson
- Re: What to improve? BCP-38/SAC-004 anyone? Michael Richardson
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? Patrik Fältström
- Re: What to improve? BCP-38/SAC-004 anyone? Randy Bush
- Re: What to improve? BCP-38/SAC-004 anyone? Patrik Fältström
- RE: What to improve? BCP-38/SAC-004 anyone? Christian Huitema
- Re: What to improve? BCP-38/SAC-004 anyone? John Levine
- Re: What to improve? BCP-38/SAC-004 anyone? Jari Arkko
- Re: What to improve? BCP-38/SAC-004 anyone? Donald Eastlake
- Re: What to improve? BCP-38/SAC-004 anyone? Jim Gettys
- Re: Fwd: What to improve? BCP-38/SAC-004 anyone? dave taht
- Re: What to improve? BCP-38/SAC-004 anyone? George, Wes