ietf-smtp
[Top] [All Lists]

Re: ADMD

2007-03-14 15:27:48

At 10:52 AM 3/14/2007 -0700, Dave Crocker wrote:
David MacQuigg wrote:
The Border is a special ADMD boundary, one in which there is no prior relationship.

That strikes me as an extremely helpful definition. Concise, clear and meaningful.

I think, however, I might disagree with it, although I'd be inclined to put this in terms of a change, rather than being basic.

I believe that a Border MTA role is important, even when there is a special arrangement between the neighboring ADMDs. (It doesn't matter whether the IP linkage between the ADMDs is through a private network or over the public Internet. There are all sorts of special trust arrangements possible.

1. Do folks prefer "Border" or "Boundary"? I think "Boundary" gets used more, but I don't really care which is chosen, as long as there is good agreement to yse the term?

Trust is the factor that distinguishes the border to the Internet from the boundary around an ADMD. If I understand the English connotations of these words, it seems "border" has more connection with trust than "boundary". e.g. We have a Border Patrol, and we draw boundaries around items in a Figure to indicate a grouping. So my vote is for "border".

So I'd be inclined towards a definition along the lines of:

2. "A Bo* module is portal to an ADMD. It may be provide any of the underlying functional roles within the architecture. Its additional role at the Bo* is to enforce exit and/or entry policies for the ADMD, when interacting with Bo* modules in other ADMDs."

Thoughts?

I worry that we will dilute the meaning of Border if we have a border module in every ADMD, even when they are not at the Border. Also, Fig. 5 already fills an entire page, so you won't be able to squeeze in two more modules. :>) I would be OK just calling them MTAs, with the understanding that any MTA connecting across a Border must perform some Border functions (authentication, filtering, etc.).

You define the term "Edge" on page 12 to mean something similar, but Fig. 4 shows an Edge between two related ADMDs.

Mumble. The document uses the term "Edge" to refer to an entire ADMD rather than to a module within it. An Edge ADMD is an originator or final recipient administrative environment.

A Bo* module will exist at the outer limits of *any* ADMD, edge, transit, or whatever.

Now I'm even more confused. The Edge ADMDs in Fig. 4 are at the edge of the Internet, which may be a few hops from either the Originator or the Recipient.

Can we at least agree that there is one special boundary between ADMDs, and that is the Border between sending and receiving NoAs?

I think it is between any two ADMDs. Not sure I understand the special role between "NoA"s. Please clarify.

This is the one boundary where we are dealing with strangers (connecting to MTAs in unrelated ADMDs). Related ADMDs can establish a secure channel using passwords, pre-arranged IPs, or even just a private email address.

My sending NoA includes yahoo.com and controlledmail.com. Yahoo asks me for a password when I want to send mail. Controlledmail checks my IP address.

On the receive side, my NoA includes yahoo.com, pobox.com, box67.com, ieee.org, and arizona.edu, all Border ADMDs forwarding to my mailstore at gain.com. The Border ADMDs have a full set of defenses against spam. I've turned OFF the border defenses at my mailstore. Its only protection is a private address that can't be guessed in a dictionary attack.

As you already know, there is a serious challenge to keep the figures understandable.

I am really impressed with the ASCII art in Fig. 5. :>) See also http://www.chris.com/ASCII/

-- Dave