On Sep 17, 2007, at 1:00 PM, Meng Weng Wong wrote:
On Sep 17, 2007, at 12:40 PM, Matthias Leisi wrote:
Google was not helpful on this subject, so you may be able to help
to reveal the status of DNSxL notation for IPv6.
What would make sense, and what not? What has already been tried?
We need better protocols. DNS was never designed for this.
DNS was not designed to handle SPF either. SPF is a potential vector
for dangerous reflected amplification attacks. It is not safe to
attempt to return _all_ IP addresses for _all_ systems which may
process a message for a domain. This list must be large and will
entail many repeated transactions. SPF chains these transactions
through the use of text macros. These macros can result in an
unexpected attack that is not discerned by examination of messages or
logs.
I believe a number of next-generation protocols have been
developed, or are being developed.
Eventually, something other than an IP address is needed for
validation. IPv6 represents 72 quadrillion (10^15) networks
containing 18,400 quadrillion identifiers. In addition, there will
be shared gateways transitioning between IPv4 and IPv6 versions. Bad
actors can overwhelming any attempt to track reputations validated by
an IP address. In addition, there are hundreds of millions of 0wned
systems which have access to provider's outbound servers. This is a
problem that might scale when pushed to the edge.
At my company we use a very simple protocol; it runs on UDP with
retry and failover to TCP, just like DNS. The serialization codec
is based on BitTorrent so it already has library support in many
languages.
For many, spam levels exceed 99% of the overall email traffic. To
cope, connection status must be concluded within a few transactions.
Bifurcation of message and notification offers advantages in that
Delivery Status Notifications can be avoided when post processing a
message that is not desired, and removes the need for source
validation. SPF was aimed at avoiding back scatter when processing
is pipe-lined. This approach reduces email integrity, and imposes a
dangerous level of up front transactions. Transfer-by-reference
avoids most of these problems. For this to work, domain tasting MUST
END! There MUST be a reasonable cost associated with the control of
a domain.
We'd be happy to opensource it and publish it as a standard for
others to use.
SCTP offers a better solution for specialized reputation services,
even when tunnelled on UDP. SCTP requires less connection set-up
than TCP, avoids resource exhaustion attacks, source spoofing, and
can handle thousands of simultaneous framed transactions per
connection. SCTP also uses an error detection scheme suitable for
GigE when this becomes available. : )
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg