at last: draft-levine-mass-batv-00



Dave --

Perhaps it's not obvious, but the identified mail draft can
also support the functionality you're after here with
BATV. It's essentially a matter of inspecting the bounce at
the purported home of the bounce of the bounced message
itself and doing the normal anti-forgery KRS check. These
reflection attacks, after all, are simply forgery attacks
that you wish had been discarded at the bounce relay.

What I'm not convinced is that as instantiated it is
_robust_ enough. The bounce relays I tried dutifully copy
all of the bytes of the bounced message, but I don't think
that's a great assumption (don't some bounce generators
truncate after some configurable number of bytes?) Also:
they may well not all be mime bounces, etc, etc.

My general take is that as a requirement the base MASS
protocol MUST provide bounce reflection attack protection.
I'm not sure why you'd need a separate mechanism, if that
is indeed what you're proposing.

          Mike

Dave Crocker writes:


Folks,

We have finally posted the initial, honest-to-goodness specification
of BATV.  It is much more constrained that the "description" that I
posted some time ago, but it also is complete, qualifying as a
specification.

Abstract

   The envelope of Internet mail contains an RFC2821.MailFrom command,
   which may supply an address to be used as the recipient of
   transmission and delivery notices about the original message.
   Existing Internet mail permits unauthorized use of addresses in the
   MailFrom command, causing notices to be sent to unwitting and
   unwilling recipients.  Bounce Address Tag Validation (BATV) defines
   an extensible mechanism for validating the MailFrom address.  It also
   defines an initial use of that mechanism which requires no
   administrative overhead and no global implementation.



In case you simply cannot wait for the Internet-Draft folks to
announce it, you can find it at:

         <http://brandenburg.com/CSV/draft-levine-mass-batv-00.html>
         <http://brandenburg.com/CSV/draft-levine-mass-batv-00.txt>

d/
----- 
 Dave Crocker <mailto:dcrocker(_at_)brandenburg(_dot_)com>
 Brandenburg InternetWorking <http://www.brandenburg.com>
 Sunnyvale, CA USA <tel: +1.408.246.8253>; <fax: +1.408.850.1850>

<Prev in Thread]	Current Thread	[Next in Thread>
at last: draft-levine-mass-batv-00, Dave Crocker at last: draft-levine-mass-batv-00, Michael Thomas <= Re: at last: draft-levine-mass-batv-00, Tony Finch Re: at last: draft-levine-mass-batv-00, John R Levine Re: at last: draft-levine-mass-batv-00, Michael Thomas Re: at last: draft-levine-mass-batv-00, Tony Finch Re: at last: draft-levine-mass-batv-00, Michael Thomas Re: at last: draft-levine-mass-batv-00, John R Levine Re: at last: draft-levine-mass-batv-00, David Woodhouse Re: at last: draft-levine-mass-batv-00, Michael Thomas Re: at last: draft-levine-mass-batv-00, Michael Thomas Re: at last: draft-levine-mass-batv-00, David Woodhouse

Previous by Date:	at last: draft-levine-mass-batv-00, Dave Crocker
Next by Date:	Re: at last: draft-levine-mass-batv-00, Tony Finch
Previous by Thread:	at last: draft-levine-mass-batv-00, Dave Crocker
Next by Thread:	Re: at last: draft-levine-mass-batv-00, Tony Finch
Indexes:	[Date] [Thread] [Top] [All Lists]