[Top] [All Lists]

Re: [ietf-smtp] Endless debate on IP literals

2020-01-01 13:48:01
On 1/1/20 2:34 PM, John R Levine wrote:

p.s. I somehow doubt that we should recommend authentication based only on IP address at any level, though.    That's poor practice even for a small network that assigns static IP addresses to all of its hosts.   More broadly there's a widespread misconception that isolated networks are not subject to security threats or that perimeter defenses are sufficient to protect them,

It sounds like you may be conflating "authenticated" and "good".  The point of authenticating submissions is so that you know where they're coming from, and you're not an open relay for every random hostile host in the world, not that you know it's mail the recipient wants.  A device can be compromised or just have a bug and suddenly decide that it has 86,400 overdue update messages it needs to send right now through its 100% authenticated submission channel.  That's why submission servers need sanity checks on the mail they handle.

I was specifically thinking two things:

(1) In general, it's a Bad Idea to promote source IP address checks as a form of authentication for anything - not because it's never good enough for any purpose at all, but because a lot of people won't do the threat analysis and/or impose additional measures (like switches that do address checking) to make it reliable even for the purpose they have in mind.   So "IP source address authentication is bad, mmmkay?" is probably more effective than trying to explain exactly under what conditions it might be marginally acceptable.

(2) It's cheap and trivially easy these days to build a tiny, stealthy device that static configs its source address, operates for hours or maybe days from a small battery, connects to local Ethernet or WiFi, and does whatever kind of disruption its creator wants - whether that's sending out faked messages that something's on fire, or sending malware to anywhere that the submission server will allow, or whatever.   There are lots of kinds of authentication, including challenge-response based on hashes of simple passwords, that I'd find perfectly acceptable in such an environment if managed correctly.   But even in such a relatively unsophisticated environment I don't think "authentication" based on anything that's exposed on the wire is good enough.   So no use of source IP addresses, no use of cleartext passwords, etc.


ietf-smtp mailing list