Re: Sufficient email authentication requirements for IPv6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Jason,

On Mar 30, 2013, at 7:57 AM, "Livingood, Jason" <Jason_Livingood@xxxxxxxxxxxxxxxxx> wrote:

On 3/29/13 12:58 PM, "John Levine" <johnl@xxxxxxxxx> wrote:


As a result, it is questionable whether any IPv6 address-based
reputation system can be successful (at least those based on voluntary
principles.)

It can probably work for whitelisting well behaved senders, give or take
the DNS cache busting issues of IPv6 per-message lookups.

Since a bad guy can easily hop to a new IP for every message (offering
interesting new frontiers in listwashing) I agree that it's a losing
battle for blacklisting, other than blocking large ranges of hostile
networks.

Agree. The IP blacklisting that worked well for IPv4 is completely
unsuited for IPv6 (I'd go as far as to say it is a complete failure, no
matter if you look at different size prefixes or not).

Agreed.

The only model that I personally can see working at the moment for IPv6 is
a mix of domain-based reputation and whitelisting. I like domain-based
better since it is managed by sending domains on a distributed basis.

Current domain based strategies such as SPF offer fragile dependence on return path parameters that may incur a large number of transactions to resolve authorizations.  Use of DKIM must also consider the signing domain neither controls actual sources, intended recipients, or message relaying.

Mail acceptance for IPv4 worked inclusively - receivers accept unless IP
reputation or other factors failed. IMHO with IPv6 that model may need to
be turned around to an exclusive one - so receivers will not accept mail
unless certain factors are met (like domain-based authentication or the
IPv6 address is on a whitelist). I'd expect MAAWG will continue to be a
good place for mail ops folks to work through this stuff.

While SPF offered a fix for DSN back-scatter, neither this scheme nor DKIM provide a suitable basis for domain reputation.  Neither authorization nor signed message content provide any direct evidence of abuse accountability.  

Permission for this occurs by leaving the future of email primarily in the hands of those having conflicts of interest.  For example, none of the current domain based schemes offer a means to hold those paid to send bulk email accountable.  Several would even be happy to see IPv6 email require IPv4 providers to relay IPv6 email.

Here is the link that illustrates the serious problem.

And again, I call on the IETF to work on this problem.

Regards,
Douglas Otis






[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]