On 1/1/20 2:34 PM, John R Levine wrote:
p.s. I somehow doubt that we should recommend authentication based
only on IP address at any level, though. That's poor practice even
for a small network that assigns static IP addresses to all of its
hosts. More broadly there's a widespread misconception that
isolated networks are not subject to security threats or that
perimeter defenses are sufficient to protect them,
It sounds like you may be conflating "authenticated" and "good". The
point of authenticating submissions is so that you know where they're
coming from, and you're not an open relay for every random hostile
host in the world, not that you know it's mail the recipient wants. A
device can be compromised or just have a bug and suddenly decide that
it has 86,400 overdue update messages it needs to send right now
through its 100% authenticated submission channel. That's why
submission servers need sanity checks on the mail they handle.
I was specifically thinking two things:
(1) In general, it's a Bad Idea to promote source IP address checks as a
form of authentication for anything - not because it's never good enough
for any purpose at all, but because a lot of people won't do the threat
analysis and/or impose additional measures (like switches that do
address checking) to make it reliable even for the purpose they have in
mind. So "IP source address authentication is bad, mmmkay?" is
probably more effective than trying to explain exactly under what
conditions it might be marginally acceptable.
(2) It's cheap and trivially easy these days to build a tiny, stealthy
device that static configs its source address, operates for hours or
maybe days from a small battery, connects to local Ethernet or WiFi, and
does whatever kind of disruption its creator wants - whether that's
sending out faked messages that something's on fire, or sending malware
to anywhere that the submission server will allow, or whatever. There
are lots of kinds of authentication, including challenge-response based
on hashes of simple passwords, that I'd find perfectly acceptable in
such an environment if managed correctly. But even in such a
relatively unsophisticated environment I don't think "authentication"
based on anything that's exposed on the wire is good enough. So no use
of source IP addresses, no use of cleartext passwords, etc.
Keith
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp