ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: RMX Records

2003-03-03 06:52:36
On Mon, Mar 03, 2003 at 11:59:52AM +0000, Justin Mason wrote:

One issue I can see here: if I send mail from my home machine for
mydomain.org, connected using an ISP's dynamic pool of IPs for their
DSL



That's one of the bitter pills. As long as anyone with a 
dynamic IP address is able to send mails with your address, then 
there is no difference between the authorized sender and the abusing
attacker. 

Many of the Spam messages I receive are sent from DSL accounts with
dynamically allocated IP addresses. If *you* are allowed to send
mail from jmason.org, then everybody else who can get the same
IP address a few minutes later would be allowed as well (as long as
we glue permissions to IP addresses and omit the time factor).



users, then I either 

      (a) need to know that ISP's address ranges


No, that's why I used the APL records instead of directly using the
address ranges.

It would look like this:

your ISP, lets assume he has the domain isp.com, would have to 
administer some APL records.

That could be something like

    customdynrange.isp.com     covering all its dynamic address ranges 

or
    state.isp.com              if the ISP can determine which address
                               ranges belong to which state

or 
    city.isp.com               if ranges are limited to a city.



Let's assume you're working somewhere in california with ISP1,
but sometimes you're in New York and working with ISP2.

Then your RMX record could look like this:

jmason.org    IN RMX  (california.isp1.com newyork.isp2.com)

which would still keep the door open for thousands of 
IP addresses, but would block mails from Texas, India, Nepal...





      (b) need to update my RMX records dynamically each time I connect,
      and this needs to match my mail *at the time the recipient checks
      it* (ie potentially breaking the store-and-forward model!)

No, you certainly could do so. Many people use dynamic DNS updates for
their regular home machine anyway. 

Let's assume you have such dynamic update for the machine 
home.jmason.org.

Then your RMX would look like this

jmason.org  IN RMX ( jmason.org )
jmason.org  IN APL ( home.jmason.org )

home.jmason.org IN A  your-dynamic-address

(or maybe the RMX recors should allow host names directly).


Since your dynamic entry home.jmason.org exists for the full time you
have a certain IP address, you will be able to send. Once you drop
the connection, the entry home.jmason.org doesn' exist anymore (or
changes), but since you have lost that certain IP address, this 
is perfectly consistent. And no, it doesn't break the
store-and-forward model, since you can't send e-mail with that
IP address after you've terminated your connection.





      (c) need to set up a static-IP deal with the ISP, or buy a colo
      server ;)

That would be the best. That's what I do. 



      (d) need to use an "allow all" 0/0 mask for mydomain.org.


That's also possible. That's a statement like "I don't want to 
restrict origins for my domain". If you want to do so, that's fine.
But it might be my decision to not accept mails from such a domain
anymore.





How do we solve this?   Is there another solution?


Yup. Use Cryptography and have a PKI Infrastructure.  Use
challenge-response authentication, mail signatures, or something
alike. But that's far more complicated, has severe vulnerabilities,
and requires updates of virtually every MUA.


My proposal is not the final solution of all problems, but it is
 
- feasible
- cheap
- simple
- effective
- doesn't affect MUAs
- backwards compatible
- easy to implement
- easy to administer and debug
- allows smooth transition
- allows flexible policies

Also, my proposal doesn't claim to be an exclusive solution. 
Maybe you could have something like this:

- If the sender is authorized by the RMX record, accept the
  mail the old way. 

- If not, require authentication by password or a mail signature.





regards
Hadmut

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>