IETF Logo Mail Archive

Re: [spfbis] Updated charter - final review

Hector Santos <hsantos@isdg.net> Thu, 02 February 2012 17:55 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75A4621F860B for <spfbis@ietfa.amsl.com>; Thu, 2 Feb 2012 09:55:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.672
X-Spam-Level:
X-Spam-Status: No, score=-1.672 tagged_above=-999 required=5 tests=[AWL=0.005, BAYES_00=-2.599, HELO_MISMATCH_NET=0.611, HOST_MISMATCH_COM=0.311]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XjJK5WwMvSbM for <spfbis@ietfa.amsl.com>; Thu, 2 Feb 2012 09:55:33 -0800 (PST)
Received: from ftp.catinthebox.net (ntbbs.santronics.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id 526DB21F8601 for <spfbis@ietf.org>; Thu, 2 Feb 2012 09:55:33 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4111; t=1328205324; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=pMk8mGaggNzIMrZfG5+lHUvTcto=; b=k08ekBXpvIVjnwGt2IH3 M7pPXYo+Ke1416JWkqCyWXr+c3OQMtrFmLFzjA79WoMyiaU54OcI+d47T2xoLn7b +OeqEZRuMPCf+fp0F2lyZBIo8r84O3Z6RLGvKRjfPN/knBWQDv15ANDqP+WdSgZa q3dV9PTVXSsqEeiGh4hfEs8=
Received: by winserver.com (Wildcat! SMTP Router v6.4.454.1) for spfbis@ietf.org; Thu, 02 Feb 2012 12:55:24 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.4.454.1) with ESMTP id 1407187833.63904.788; Thu, 02 Feb 2012 12:55:22 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4111; t=1328205115; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=2rLQBda /XisOe/5mp9WbWUJq2gVuBNnWNL3DvMLQl0U=; b=puPHO2/ZPYykH8ky8eZm9sG IKNf3HIpuQQOyvxQnhK5osn1qrICqpbx3Krh9JWL1bhghTM2SZXlAd9Wck08MDIH IGbVW3It9v2ZCgZnC3IovTUaQSuZAs60PDcPFxWJat6yiV/Gtg7hnpPfZ2Swhlv+ W7ZIXA4TSnrjrc8dGG9w=
Received: by beta.winserver.com (Wildcat! SMTP Router v6.4.454.1) for spfbis@ietf.org; Thu, 02 Feb 2012 12:51:55 -0500
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.4.454.1) with ESMTP id 2006137408.11467.5284; Thu, 02 Feb 2012 12:51:54 -0500
Message-ID: <4F2ACE11.30202@isdg.net>
Date: Thu, 02 Feb 2012 12:55:29 -0500
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: spfbis@ietf.org
References: <4F28DBB7.5070101@qualcomm.com> <4F29E395.3020100@mail-abuse.org> <5905d04c-42eb-42f0-b580-1fb654cfe5af@email.android.com> <4F2A11E7.10409@mail-abuse.org>
In-Reply-To: <4F2A11E7.10409@mail-abuse.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [spfbis] Updated charter - final review
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2012 17:55:34 -0000

The problem is that from your POV there is only one solution - STOP 
USING SPF.  In short, the ultimate conclusion when your security 
concerns is seriously considered, is to stop using SPF.  That's not a 
solution - a non-starter.

You keep talking about IPV6 and I don't know about others, thats still 
really very far for MOST people. I have yet to encounter one person 
that is only talking IPV6 and we can't deal with him. I can't even 
recall one company even inquiring about IPV6 support for any our 
internet servers.

==
HLS

Douglas Otis wrote:
> On 2/1/12 5:53 PM, Scott Kitterman wrote:
>>  Douglas Otis <dotis@mail-abuse.org> wrote:
>> > On 1/31/12 10:29 PM, Pete Resnick wrote:
>> >> All,
>> >>
>> >> I have made some updates to the charter based on feedback during
>> >> IESG review. If I can sneak it onto the Thursday telechat this
>> >> week, I might, but the IESG might be none too pleased for me to
>> >> put it on so late, so it may wait two more weeks. We'll see.
>> >>
>> >> Please review the below and see if there is anything that makes
>> >> your head explode.
>> > Dear Pete,
>> >
>> > At any inbound SMTP server, there may be attempts to resolve an
>> > extensive list of IPv4 and IPv6 addresses associated with SPF
>> > records whether referenced from insecure SMTP Mail From or
>> > HELO/EHLO parameters. SMTP services must cope with an extensive
>> > amount of unwanted traffic and will therefore have extensive
>> > provisioning. SMTP distributed attacks will be extremely difficult
>> > for any single SMTP recipient to detect. Nor will victims of an
>> > attack be aware of the triggering messages. Victims of this type
>> > of attack may not even exchange SMTP traffic.
>> >
>> > Most sources of unwanted SMTP traffic originate from insecure
>> > hosts. Resulting SPF related DNS transactions performed by
>> > receiving SMTP servers will obfuscate their source. In addition,
>> > Authentication-Results header fields, that may be added to
>> > forwarded messages, exclude source IP addresses. Even when victims
>> > of targeted attacks are known, proactive protection at either SMTP
>> > or DNS services can be thwarted by SPF’s macro capabilities. SPF’s
>> > macros makes it impractical to identify records or messages
>> > involved in an attack which may also lead to extensive traffic
>> > amplification.
>> >
>> > DDoS vulnerabilities may result from the distributed nature of
>> > SMTP messages and receipt of DNS traffic related to SPF validation
>> > which may consume all of a victim's available resources. Whether an
>> > attack leverages HELO/EHLO subdomains or more significantly an
>> > email-address local-part, the overall number of transactions
>> > involved can be extensive while demanding little of the sender’s
>> > resources. An SPF ‘mx’ or ‘ptr’ mechanism limit corresponds to a
>> > ten times greater number of DNS resource record resolutions. SPF
>> > deployment would be significantly safer where recipients employ
>> > reasonable limits for the permitted number of resulting DNS
>> > failures.
>> >
>> > Determining reasonable DNS error limits for SPF should be part of
>> > the WG charter. Potential victims of SPF amplifications will not
>> > represent those needing to change the SPF process.
>>
>>  The charter already covers this. If there are operational problems
>>  with the current design, it's in scope to address them.
> 
> Dear Scott,
> 
> Perhaps express this as requirement to establish a realistic Security 
> Consideration section.  It seems unlikely email providers will notice 
> their role in what might be devastating DDoS attacks impossible for 
> victims to mitigate.  Depending on email provider's perspectives of 
> "operational problems" unfortunately overlooks these broader Internet 
> concerns.
> 
> Regards,
> Douglas Otis
> _______________________________________________
> spfbis mailing list
> spfbis@ietf.org
> https://www.ietf.org/mailman/listinfo/spfbis

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

v2.23.0 | Report a Bug | By Email