Re: Summary of IETF LC for draft-ietf-dane-openpgpkey

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In your letter dated Wed, 16 Sep 2015 09:51:31 -0400 you wrote:
>There are other operational differences that call "about as
>expensive" into question.  While arrangements differ from one
>provider to the next and in part because of spam and related
>problems, many SMTP servers are aggressively monitored.
>Rate-limiting is common as is connection filtering based on
>sender address ranges and other protections.  All SMTP
>connections are over TCP, which facilitates the above.   DNS
>queries are, in my experience, typically less aggressively
>monitors and filtered.   The I-D recommends using TCP for
>OPENPGPKEY queries, but my (admittedly poor) memory of DNS
>protocol details suggests that, if one only wanted to determine
>the presence of a record and didn't care about the key, a UDP
>query could be used, making some of the protections that are
>used by SMTP servers even more difficult.

This seems to be a great way to block a lot of progress. 

If you start storing more sensitive data is a server or service, then 
obviously you need to upgrade the protection and monitoring.

Claiming that just because when today there is no monitoring due to the lack of
sensitive data, there cannot be a proposal to store something else sounds
very circular to me.

If this line of reasoning was applied to the Internet as whole then we would
still have nothing more than an academic research project.

In this context, there is no point in spoofing the source address of a 
UDP DNS query because the attacker would need the reply. So monitoring and
rate limiting should work as well for UDP as for TCP.

>There is also no SMTP equivalent of hiding one's DNS query by
>the use of forwarders or caching servers rather than direct use
>of authoritative ones.

In my experience, spammers seem to have access to botnets. So in many
cases the origin of an SMTP connection is already hidden.

>If UDP is, in fact, possible, then the DNS query is inherently
>less expensive than opening a mail transaction and also exposes
>the attacker to at least slightly lower odds of detection,
>identification, or blocking.

If you have to include a valid source address, how does that lower the odds
of detection, etc?

Yes UDP is less expensive than TCP. However, that only becomes an issue
if lack of resources on either client or server side has an effect on the
attack.

It is safe to assume that a server should start some kind of rate limiting
long before resource exhaustion becomes an issue.

>So "about as expensive" may not be true, especially if
>effectiveness is weighed into the equation.  At a minimum, the
>conditions are different enough that a probe to one cannot be
>equated to a probe to the other.
>
>FWIW, some of the issues above are closely related to the
>reasons I want to see the "experiment" described.  If we can
>anticipate possible issues, asking people to monitor for them
>and report on them seems reasonable... and not doing so seems a
>little irresponsible.

A completely random idea. But maybe worth experimenting with is doing the
same thing over SMTP:

Require a TLS connection, probably to the mail submission port, with a 
DANE record (to get the same sort of security as in this draft) with an
'OPENPGP <mail-address>' command.

The advantage is that the LHS issues are gone. The question is if access to
port 587 is generally open to mail user agents and whether mail servers can
allow anonymous access to that port.





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]