Re: draft-atkins-smtp-traffic-control
2011-10-31 21:27:55
On 10/31/11 1:23 PM, Murray S. Kucherawy wrote:
On Monday, October 31, 2011 9:24 AM, Steve Atkins wrote:
Yahoo! is currently handling somewhat over 300,000 delivery attempts a
second[1]. You don't need to increase the average cost of a mail delivery
(either by increasing the cost of a delivery attempt or by increasing
the number of delivery attempts per message) by much for it to add
up to significant costs.
I believe it, but to be fair, they also have not come forward to indicate that
this is hurting them. Thus, I have to conclude they can handle it just fine.
As long as there is adequate network bandwidth and server resources,
email is not likely to see problems. When the assumption of adequate
resources is not true, it becomes difficult to know whether there is a
problem since there won't be evidence of a problem seen in receiving MTA
logs. These logs will not include the number of incomplete connections.
Those on smaller networks, such as with schools or those in rural areas,
coping with email abuse often requires servers located in data-centers
bringing the joy of paying at the 95 percentile of network traffic and
the cost of server space and power consumption, in addition to the
Internet connectivity needed to browse the Internet and to transfer
filtered email.
We offer a strategy where abusive IP addresses are kept from competing
with legitimate senders. While this strategy works fairly well at
reducing server and network loads, it seems unlikely this strategy can
be extended to cover IPv6 which currently has 65k times the announced IP
address space over the maximum available in IPv4. This large space is
also growing exponentially well beyond that of Moore's law. Those who
decide to not offer IPv6 connectivity will find IPv4 will impose a
growing percentage of addresses representing a dynamic and uncategorized
range of senders sharing the same addresses.
A hybrid approach where connections are first established using Kerberos
could provide a good solution. MIT has made an implementation of
Kerberos freely available, under copyright permissions similar to BSD
licensing. In 2007, MIT formed the Kerberos Consortium where sponsors
include Oracle, Apple, Google, Microsoft, and Centrify. The IETF has
the krb-wg supporting Kerberos.
By taking a layered approach where SMTP uses Kerberos tickets as a basis
for acceptance, IPv6 address information can be obtained to open access
to SMTP servers, where connections can also be validated using Kerberos
tickets. An extension to SMTP-Auth would be run in conjunction with the
infrequent use of Kerberos leveraging PKI or DANE. This would permit an
efficient exchange of email able to avoid much of the costs associated
with email abuse.
The many problems created by reputation systems that fail to
authenticate the entities being rated can be avoided as well. Kerberos
is already being heavily used by Apple and can support the integration
of other Internet based services.
-Doug
|
|