spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Re: [Fwd: Re: DNSOP Agenda for San Diego (IETF 67)]

2006-10-31 10:38:14
I think this is all much ado about nothing.

First, nothing requires any to do SPF checks.  A truly well engineered 
integration of SPF would degrade gracefully and bail out on SPF checks if 
resource usage get to be to great.  A competent admin will do this manually 
as soon as they are alerted to the problem.  So, worst case this is a 
potential issue for integrators and admins to be aware of.

While the lack of anybody doing such a DOS attack does not entirely refute 
the argument, I do think that if this was easy, we'd have seen it by now.

I'm not saying it's not a risk, but that I think it can be managed.

IIRC, when I was arguing with Radu about this, much of the amplification 
potential related to pipelining (particularly unauthorized pipelining that 
starts before the SMTP greeting).  I know that both Sendmail and Postfix 
have controls to protect against this kind of abuse.

There is no box on the internet that cannot be DOSed today through one or 
another mechanism.  Defense against DOS attcaks requires active effort.  
SPF is no different in that regard.

Scott K

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com