Re: A new transition plan, was: Re: the evilness of NAT-PT, was: chicago


On Jul 7, 2007, at 11:19 AM, Iljitsch van Beijnum wrote:

On 6-jul-2007, at 20:53, Douglas Otis wrote:
How will SMTP servers vet sources of inbound messages within anIPv6 environment? Virtually every grain of sand can obtain a"new" IPv6 address.
Simple: look at prefixes rather than individual addresses. If2002::2002 is a spammer, then you may want to assume that2002::2003, 2002::2004 etc are also spammers. With IPv6, the "CIDRdistance" between nodes under different administration should beconsiderably larger than with IPv4, where you'll often see systemsbelonging to different people on consecutive addresses.

Recommending CIDR blocking will not win accolades. This is one ofthe evils most want to avoid. The dynamics of IPv6 addressing ispart of the problem. IPv6 might utilize a translation of some IPv4address, perhaps of a session crossing through the IPv4 address spaceinto IPv6 address space via gateways. These translations will likelybe dynamically assigned. Just the ease of being able to obtain a newIPv6 address represents a problem although this is also touted as afeature. IPv6 address vetting is unlikely to effectively track badactors, nor will reverse DNS be all that useful.

An IPv6 address may traverse any number of translation points aswell.
Huh? What are you talking about?

There will be many ways to bridge between the IPv4 and IPv6 addressspace.

This complex topology spells the end of SMTP in its current form.


And that's a bad thing?

Probably not. However, the IETF might want to consider what isneeded to transition into something more robust once IPv6 space isallowed to send email. Difficult to obtain non-volatile referencesare essential for tracking abuse history. The difficulty is with thedifficult-to-obtain reference.

PNRP depends upon groups. Groups work in a fashion similar to thatof a mailing list. This suggests there could be intermediariesoffering references. Evidence of abuse should be limited to thetransmitting domain and not the individual. Dealing with abuseshould be internal to the domain.

Limiting accountability to the domain is a major sticking pointwithin the current email infrastructure. Those transmitting messagesinto public servers wish to avoid accountability. However,accountability simply does not scale down at an individual toindividual level. There must be some form of collectiveaccountability established.

One way this could be accomplished would be to create a message thatis nothing more than a URI. This could be done in a manner similarto BURL. The URI could be constructed of a double hash of a time-stamp, source identifier, and content. Message storage and retrievalcould even utilize object storage.

The "group" would be the web URL where the sender stored theindividuals' messages. Recipient access could depend upon either theobscurity of the double hash or handled by a scheme similar toOpenID. This approach should scale, and yet ensure references areobtained from those offering an HTTP message access service. Thiswould allow combining both SMTP and HTTP into a unified URLreputation vetting system independent of any underlying IP address.

It's the fundamental lack of, well, everything, in SMTP that allowsall this spam that we're suffering from these days and makes itimpossible to get rid of things like the base64 encoding overhead.

The transition will likely need to be evolutionary and notrevolutionary. MUAs could be modified to handle either form ofmessaging. At some point, those still using the old methods will betoo few to matter.

Build a better mousetrap rather than complain that the mice don'tlike the cheese.

Agreed. But is this something the IETF will even consider? Arethere too many vested in the old mousetrap?


-Doug




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

Re: A new transition plan, was: Re: the evilness of NAT-PT, was: chicago IETF IPv6 connectivity