Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> wrote:
On 12/13/10 10:32 PM, Matthias Leisi wrote:
On Mon, Dec 13, 2010 at 11:37 PM, Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org>
wrote:
For SMTP to survive, SMTP must cryptographically authenticate the
domain of the server publicly issuing the message. This domain
must also encompass
Not necessarily. IP-based whitelisting may be Good Enough[tm] for
that purpose.
Indeed, it might (note the [tm] ;^)...
... if the number of IPv6 originators stays "small" (which as folks
have noted is entirely possible).
v6 white-listing takes renumbering to a horrific place and might work
only during an initial transition where the number of v6 only sources
are few. Over a period of a few years, these numbers are likely to
explode into millions.
"Millions" doesn't particularly bother me -- but there's nothing
except intertia holding it to "millions", or even "billions". :^(
'Twould be better to discuss _how_ to maintain such a whitelist.
IMHO, sending SMTP clients would have to publicly declare their intent
and there would have to be sufficient volume to convince some vouching
and/or reputation service that they send a sufficient volume of ham.
This is not entirely trivial.
Doug Otis and I worked with Dave Crocker on the draft-ietf-marid-csv
series of I-Ds, and considered such maintenance issues -- for _both_
IPv4 and IPv6. (They may be a bit dated with regard to IPv6, having
expired in 2005, but IPv6 was considered and seemed OK at the time.)
We were of the opinion that query by domain-name was more useful
than query by IP-address -- largely because a single (IPv4) address
might well be used by more than one sending domain, with different
policies. For IPv6, it _might_ be possible to enforce an idea that
the IPv6 address must vary if the email policies differ...
Do not think in DNSBL terms, but from a DNSWL angle. In whitelisting
scenarios, a sub-/64 assignments are both technically and
operationally feasible and can be useful in some scenarios:
* shared hosting environments (where I don't think each user will
get a full /64) * E-mail service providers * 4-to-6 NAT/PAT * Likely
some more...
Agreed.
(I'd be _very_ interested in how anyone plans to _maintain_ a
reputation service for > 2**64 different addresses.)
--
John Leslie <john(_at_)jlc(_dot_)net>
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg