Re: [spfbis] Updated charter - final review
Scott Kitterman <spf2@kitterman.com> Thu, 02 February 2012 11:32 UTC
Return-Path: <spf2@kitterman.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DBD921F8A57 for <spfbis@ietfa.amsl.com>; Thu, 2 Feb 2012 03:32:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.477
X-Spam-Level:
X-Spam-Status: No, score=-2.477 tagged_above=-999 required=5 tests=[AWL=0.122, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gqlXbKjbjs2S for <spfbis@ietfa.amsl.com>; Thu, 2 Feb 2012 03:32:53 -0800 (PST)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) by ietfa.amsl.com (Postfix) with ESMTP id 6CC8421F8A56 for <spfbis@ietf.org>; Thu, 2 Feb 2012 03:32:53 -0800 (PST)
Received: from mailout03.controlledmail.com (localhost [127.0.0.1]) by mailout03.controlledmail.com (Postfix) with ESMTP id 8094FD0408B; Thu, 2 Feb 2012 05:32:52 -0600 (CST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2007-00; t=1328182372; bh=v3ypuiT+iIOxmgOJAebWOVSUlbR1/maDvyXgMpijTYA=; h=References:In-Reply-To:MIME-Version:Content-Type: Content-Transfer-Encoding:Subject:From:Date:To:Message-ID; b=VMttew4KXmYuTomGDx5v79Ecqa+uO10k2feBfxpxKAGgzUaH0YYJ6FyC7Jr8gT4Ul GmCBWV6O1jBl7ysm+p6SLC5+V+Z0j020gUQ2LrQzLFLxxCP6XrQUiJX5VG5ueps8Wa j7gLU08SII3vt1EWO2AOah+91rEoSd3EB8oaM3Rg=
Received: from [192.168.111.101] (static-72-81-252-21.bltmmd.fios.verizon.net [72.81.252.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 49067D0400D; Thu, 2 Feb 2012 05:32:52 -0600 (CST)
References: <4F28DBB7.5070101@qualcomm.com> <4F29E395.3020100@mail-abuse.org> <5905d04c-42eb-42f0-b580-1fb654cfe5af@email.android.com> <4F2A11E7.10409@mail-abuse.org>
User-Agent: K-9 Mail for Android
In-Reply-To: <4F2A11E7.10409@mail-abuse.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
From: Scott Kitterman <spf2@kitterman.com>
Date: Thu, 02 Feb 2012 06:33:01 -0500
To: spfbis@ietf.org
Message-ID: <f775e7ec-6c68-4d41-ac5d-9c2b8dd13965@email.android.com>
X-AV-Checked: ClamAV using ClamSMTP
Subject: Re: [spfbis] Updated charter - final review
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2012 11:32:54 -0000
Douglas Otis <dotis@mail-abuse.org> wrote: >On 2/1/12 5:53 PM, Scott Kitterman wrote: >> Douglas Otis <dotis@mail-abuse.org> wrote: >> > On 1/31/12 10:29 PM, Pete Resnick wrote: >> >> All, >> >> >> >> I have made some updates to the charter based on feedback during >> >> IESG review. If I can sneak it onto the Thursday telechat this >> >> week, I might, but the IESG might be none too pleased for me to >> >> put it on so late, so it may wait two more weeks. We'll see. >> >> >> >> Please review the below and see if there is anything that makes >> >> your head explode. >> > Dear Pete, >> > >> > At any inbound SMTP server, there may be attempts to resolve an >> > extensive list of IPv4 and IPv6 addresses associated with SPF >> > records whether referenced from insecure SMTP Mail From or >> > HELO/EHLO parameters. SMTP services must cope with an extensive >> > amount of unwanted traffic and will therefore have extensive >> > provisioning. SMTP distributed attacks will be extremely difficult >> > for any single SMTP recipient to detect. Nor will victims of an >> > attack be aware of the triggering messages. Victims of this type >> > of attack may not even exchange SMTP traffic. >> > >> > Most sources of unwanted SMTP traffic originate from insecure >> > hosts. Resulting SPF related DNS transactions performed by >> > receiving SMTP servers will obfuscate their source. In addition, >> > Authentication-Results header fields, that may be added to >> > forwarded messages, exclude source IP addresses. Even when victims >> > of targeted attacks are known, proactive protection at either SMTP >> > or DNS services can be thwarted by SPF’s macro capabilities. SPF’s >> > macros makes it impractical to identify records or messages >> > involved in an attack which may also lead to extensive traffic >> > amplification. >> > >> > DDoS vulnerabilities may result from the distributed nature of >> > SMTP messages and receipt of DNS traffic related to SPF validation >> > which may consume all of a victim's available resources. Whether an >> > attack leverages HELO/EHLO subdomains or more significantly an >> > email-address local-part, the overall number of transactions >> > involved can be extensive while demanding little of the sender’s >> > resources. An SPF ‘mx’ or ‘ptr’ mechanism limit corresponds to a >> > ten times greater number of DNS resource record resolutions. SPF >> > deployment would be significantly safer where recipients employ >> > reasonable limits for the permitted number of resulting DNS >> > failures. >> > >> > Determining reasonable DNS error limits for SPF should be part of >> > the WG charter. Potential victims of SPF amplifications will not >> > represent those needing to change the SPF process. >> >> The charter already covers this. If there are operational problems >> with the current design, it's in scope to address them. > >Dear Scott, > >Perhaps express this as requirement to establish a realistic Security >Consideration section. It seems unlikely email providers will notice >their role in what might be devastating DDoS attacks impossible for >victims to mitigate. Depending on email provider's perspectives of >"operational problems" unfortunately overlooks these broader Internet >concerns. Your wording assumes a problem. That's not appropriate. Either these attacks you claim are devastating someone exist and there will be evidence somewhere or they aren't a problem. Redesigning protocols for invisible attacks that no one can find is nonsense. The work of this group needs to be about engineering facts and not flights of fancy. Scott K
- Re: [spfbis] Updated charter - final review Scott Kitterman
- Re: [spfbis] Updated charter - final review Dave CROCKER
- Re: [spfbis] Updated charter - final review Hector Santos
- Re: [spfbis] Updated charter - final review Pete Resnick
- [spfbis] Updated charter - final review Pete Resnick
- Re: [spfbis] Updated charter - final review Murray S. Kucherawy
- Re: [spfbis] Updated charter - final review Commerco WebMaster
- Re: [spfbis] Updated charter - final review Alessandro Vesely
- Re: [spfbis] Updated charter - final review Dave CROCKER
- Re: [spfbis] Updated charter - final review Scott Kitterman
- Re: [spfbis] Updated charter - final review Stuart D Gathman
- Re: [spfbis] Updated charter - final review Douglas Otis
- Re: [spfbis] Updated charter - final review Scott Kitterman
- Re: [spfbis] Updated charter - final review Douglas Otis
- Re: [spfbis] Updated charter - final review Scott Kitterman
- Re: [spfbis] Updated charter - final review Dave CROCKER
- Re: [spfbis] Updated charter - final review Barry Leiba
- Re: [spfbis] Updated charter - final review Andrew Sullivan
- Re: [spfbis] Updated charter - final review John Leslie
- Re: [spfbis] Updated charter - final review Barry Leiba
- Re: [spfbis] Updated charter - final review Hector Santos
- Re: [spfbis] Updated charter - final review Douglas Otis
- Re: [spfbis] Updated charter - final review Hector Santos
- Re: [spfbis] Updated charter - final review Douglas Otis
- Re: [spfbis] Updated charter - final review Dave CROCKER
- Re: [spfbis] Updated charter - final review Murray S. Kucherawy
- Re: [spfbis] Updated charter - final review Dave CROCKER
- Re: [spfbis] Updated charter - final review Douglas Otis
- Re: [spfbis] Updated charter - final review Stuart Gathman
- Re: [spfbis] Updated charter - final review Hector Santos
- Re: [spfbis] Updated charter - final review Andrew Sullivan
- Re: [spfbis] Updated charter - final review SM