ietf
[Top] [All Lists]

Re: What to improve? BCP-38/SAC-004 anyone?

2015-12-31 05:50:58
----- Original Message -----
From: "Patrik Fältström" <paf(_at_)frobbit(_dot_)se>
To: <ietf(_at_)ietf(_dot_)org>
Sent: Thursday, December 31, 2015 5:16 AM
Subject: What to improve? BCP-38/SAC-004 anyone?


Jari,

Thank you for the blog post, and of course as co-chair of the ICG
working on the IANA Transition I fully support and want to emphasize
your last bullet, that we need to finalize the IANA transition,
finally.

But, I want to mention one detail you might have hidden in one of your
other bullets, although not explicitly, and that is one we in the
Security and Stability Advisory Committee of ICANN where I am chair
have
been struggling with for years, and that is source address validation
(for IP addresses that is). In the IETF there is the well known BCP-38
that for various reasons is questioned, although "implement BCP-38" is
a
statement used for "do whatever is needed". In SSAC we already in 2004
created SAC-004
<https://www.icann.org/en/system/files/files/sac-004-en.pdf> about
"Securing the Edge". The main author of SAC-004, Paul Vixie, and
others
have after that written numerous other documents on the same topic.

Baseline is, we must do something about it. For some definition of
"we"
and some definition of "something".

This is of course related to what Fred Baker brought up, that we do
have
some tools, but they are not deployed. And if they are deployed, they
are not deployed to the degree and quality needed to give the intended
effect.

We do have internationalized email addresses, we do have DNSSEC, we do
have IPv6, we do have...but how much of this is deployed?

I am sorry to say I see even here on this list many people not using
technologies they argue about. If I take things I have some clue
about,
I think, DNS, and check the domain names used for the conversation,
neither DNSSEC, nor IPv6 or any other by the IETF after RFC1035
invented
technology that is DNS related is in use. By the very same engineers
discussing how to move standards forward. Is that a sign, or at least
indication?

Back to the source address validation issues. That the edge can source
IP packets with fake source IP addresses is a problem. It is, I claim,
the by far largest problem we have today.

I agree that source address validation is by far the largest problem we
have today, but not for IP addresses.  My own personal nightmare is that
90% of the phone calls  I get are fake, phony, fraudulent, phishing and
such like.  I used to be able to block most of them with a single filter
for 'withheld' but then the UK government, perhaps EU-driven, decided
that 'withheld' calls should be deprecated, so the fraudsters now use
SIP etc to generate fake source phone numbers so most of the calls get
through and have to be blocked individually.  The BBC blamed this on the
IETF for failing to introduce checks on the source phone addresses in
the protocol.  Myself I blame the phone companies for not having the
likes of RPF for phone numbers.

I understand that not many will have this precise problem at the top of
their list of nightmares but many will have a closely related one, that
there is little source address validation for e-mails which then
provides a ready vector for fraud.  (I note that I-D announcements have
trebled in size recently because of X- headers added by ESPs but I doubt
that they bring any benefit in this area that offsets the greater cost).

IP addresses are only meaningful to geeks like us.  Users at large see
and use e-mail addresses and phone numbers and, when they have yet to
learn that these can be faked, are susceptible to fraud.  This brings
real pain to real people and could provide a lever to get things done.

Tom Petch

Is this connected to the fact that not even people developing
standards
use very same standards?

Has the IETF ended up being too academic and lost connection to what
is
actually deployed?

Sure, this gap between what is developed in the IETF and what is
deployed has always existed. Existed when I started be wg chair,
continued when I was an AD, continued even more when I was on IAB, and
later ISOC BoT, and now SSAC Chair. And some of the RFCs I have
written
has been excellent examples of standards never taking off(!).

So yes, I blame myself for not having answers to my own questions. If
I
had, I would have pushed for the answers. I have at least myself
working(?) PGP, DNSSEC, IPv6, NAPTR and many other things. I.e. I am,
I
claim, eating my own dog food.

But, is the taste of our own food so bad we do not eat it ourselves?

If so, how can we make others eat it?

At least some flavor of BCP-38?

Because that is really really the largest issue we have today.

With this, all the best for a successful 2016!

    Patrik Fältström