----- Original Message -----
From: "Stephane Bortzmeyer" <bortzmeyer(_at_)nic(_dot_)fr>
To: "Nico Kadel-Garcia" <nkadel(_at_)comcast(_dot_)net>
Cc: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Tuesday, March 01, 2005 10:23 AM
Subject: Re: Status of Email Authentication
[May be add this in the Security Considerations of the future RFC.]
On Tue, Mar 01, 2005 at 09:40:05AM -0500,
Nico Kadel-Garcia <nkadel(_at_)comcast(_dot_)net> wrote
a message of 38 lines which said:
There are several methods. Many involve manipulating routing tables
on intermediate connections, so that the traffic goes to a fake such
address or is even duplicated to that fake destination so that the
traffic can be analyzed and parsed for passwords.
This exists but it is *far* more complicated than giving false
information in a SMTP session.
All we can hope is to make things more difficult for spammers. Reality
check: we cannot prevent forgery. We can make it more difficult and
therefore may be less lucrative and limited to less people.
Oh, agreed. He asked how one could be stolen, I explained a means.
Since most routers have no more security than most FTP accounts,
using default passwords, having little shell scripts or
configuration tools lying around with the passwords in plain text,
and having admins log in remotely over unsecured networks to fix
problems and sending passwords in the clear because they use telnet
and few routers support SSH, this isn't actually that hard.
Do not be so pessimistic: all router's operating systems (Linux, IOS,
JunOS, FreeBSD) support SSH for a long time. There are two sort of
routers:
Just because the operating system supports it, doesn't mean the router
supports it. Only one of the last 5 or so routers I've dealt with supported
SSH, and that one required going through a web page to download the tools to
enable it. (And the web page didn't work.)
* end-site routers at the edge of the Internet. There are often
completely unmanaged and, as you say, exhibit many security
holes. But, since they connect only an end-site, you cannot use them
to disrupt or divert traffic.
Yes, you can. When you consider that a 100 customer ISP is a an "end-site"
router, and so are many 1000 user companies and ISP's that treat their
routers in the way you describe "end-site" routers, and that they can
blackhole routes or publish other false data, they can do quite a lot of
damage, Mis-managed, they *do* cause a lot of data. It's a serious security
problem, although not one within the scope of SPF to cope with.
* core routers, managed by network operators. They are much more
useful as targets but they are also much more hardened (though not
perfectly).
True. But they're still surprisingly vulnerable. It's actually a real
security concern at federal levels, compounded by the intriguing issues of
the federal desires to monitor and tap traffic without the knowledge of the
end users, whether done for legitimate law enforcement purposes or for
espionage reasons.