Accountable Use Registry was: How I deal with (false positive) IP-address blacklists...

Douglas Otis <dotis@mail-abuse.org> Fri, 12 December 2008 00:36 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE3D33A6AB7; Thu, 11 Dec 2008 16:36:55 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B541128C0E1 for <ietf@core3.amsl.com>; Thu, 11 Dec 2008 16:36:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.548
X-Spam-Level:
X-Spam-Status: No, score=-6.548 tagged_above=-999 required=5 tests=[AWL=0.051, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0aojghlCNGqQ for <ietf@core3.amsl.com>; Thu, 11 Dec 2008 16:36:53 -0800 (PST)
Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id 8C9A33A696E for <ietf@ietf.org>; Thu, 11 Dec 2008 16:36:53 -0800 (PST)
Received: from [127.0.0.1] (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id B54B2A9443C; Fri, 12 Dec 2008 00:36:43 +0000 (UTC)
Message-Id: <9DCA9B4E-4AEC-4F05-A5B7-9362B5831E0A@mail-abuse.org>
From: Douglas Otis <dotis@mail-abuse.org>
To: John C Klensin <john-ietf@jck.com>
In-Reply-To: <EB3B4B29E29058B8BD946B12@scan.jck.com>
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Accountable Use Registry was: How I deal with (false positive) IP-address blacklists...
Date: Thu, 11 Dec 2008 16:36:43 -0800
References: <01N2VWXW3J4M00007A@mauve.mrochek.com> <C0F2465B4F386241A58321C884AC7ECC09EB3C5F@E03MVZ2-UKDY.domain1.systemhost.net> <01N2VZWB0O8800007A@mauve.mrochek.com> <493EF43D.8020203@network-heretics.com> <C86FCDE7-60F4-4FB4-AED6-E379F3B2F308@mail-abuse.org> <EB3B4B29E29058B8BD946B12@scan.jck.com>
X-Mailer: Apple Mail (2.929.2)
Cc: ned+ietf@mauve.mrochek.com, Keith Moore <moore@network-heretics.com>, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

On Dec 11, 2008, at 1:51 PM, John C Klensin wrote:
>
> As soon as one starts talking about a registry of "legitimate"  
> sources, one opens up the question of how "legitimate" is  
> determined.  I can think of a whole range of possibilities -- you,  
> the ITU Secretary-General, anyone who claims to have the FUSSP,  
> governments (for their own countries by licensing or more  
> generally), ICANN or something ICANN-like, "large email providers",  
> and so on.  Those options have two things in common. Most (but not  
> all) of them would actually  be dumb enough to take the job on and  
> they are all unacceptable if we want to continue to have a  
> distributed-administration email environment in which smaller  
> servers are permitted to play and people get to send mail without  
> higher-level authorization and certification.

Perhaps I should not have used the word legitimate.  The concept of  
registry should engender a concept of accountability.

Once one considers IPv6, just the network portion covers 2^32 times as  
many IP addresses as are present in IPv4.  In this quantity, IPv6  
addresses do not offer a scalable means upon which a server is able to  
impose a defense against abuse.  The server will handle addresses in  
rather large groups as the only method left available.  The  
consolidation of addresses into large groups will be the enemy of an  
egalitarian effort wanting to ensure access to all players.

Counter to this, much of the email abuse has been squelched by third- 
parties who allow network providers a means to indicate what traffic  
of which they are accountable.  This is done in part by the assignment  
of address ranges as belonging to dynamically assigned users.  It does  
seem as though a more formalized method though a registry support by  
provider fees would prove extremely beneficial at reducing the scale  
of the IP address range problem raised by IPv6.  By formalizing a  
registration of accountable use, along with some type of reporting  
structure or clearinghouse, IPv6 would have a better chance of gaining  
acceptance.  It would also empower providers to say what potentially  
abused uses they which to support.

> While I freely admit that I have not had hands-on involvement in  
> managing very large email systems in a large number of years now, I  
> mostly agree with Ned that some serious standards and  documentation  
> of clues would be useful in this general area.  But I see those as  
> useful if they are voluntary standards, not licensing or external  
> determination of what is legitimate.  And they must be the result of  
> real consensus processes in which anyone interested, materially  
> concerned, and with skin in the game gets to participate in  
> development and review/evaluation, not specifications developed by  
> groups driven by any single variety of industry interests and then  
> presented to the IETF (or some other body) on the grounds that they  
> must be accepted because anyone who was not part of the development  
> group is obviously an incompetent idiot who doesn't have an opinion  
> worth listening to.

Agreed.

> That has been my main problem with this discussion, and its  
> variants, all along.  While I've got my own share of anecdotes, I  
> don't see them as directly useful other than as refutations of  
> hyperbolic claims about things that "never" or "always" happen. But,  
> when the IETF effectively says to a group "ok, that is a research  
> problem, go off and do the research and then come back and organize  
> a WG", it ought to be safe for someone who is interested in the  
> problem and affected by it --but whose primary work or interests lie  
> elsewhere-- to more or less trust the RG to produce a report and  
> then to re-engage when that WG charter proposal actually appears.   
> Here, the RG produced standards-track proposals, contrary to that  
> agreement, and then several of its participants took the position  
> that those proposals already represented consensus among everyone  
> who counted or was likely to count.  Independent of the actual  
> content of the proposal(s), that is not how I think we do things  
> around here... nor is laying the groundwork for an official  
> determination of who is "legitimate" and who is not.


A registry of accountable use in conjunction with some type of  
reporting structure seems a necessity if one hopes to ensure a player  
can obtain the access that they expect.  In other words, not all  
things will be possible from just any IP address.  Providers should  
first assure the Internet what they are willing to monitor for abuse,  
where trust can be established upon this promise.  Not all providers  
will be making the same promise of stewardship.  Those providers that  
provide the necessary stewardship for the desired use should find both  
greater acceptance and demand.  Such demand may help avoid an  
inevitable race to the bottom.

-Doug
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf