Additional security consideration for marid-core

[Jim Fenton <fenton@xxxxxxxxx>]

As promised at last week's meeting, I'd like to propose description of an additional attack for the Security Considerations section of marid-core:
-----
6.4 Address Space Hijacking

This mechanism assumes the integrity of IP address space for determining whether a given client is authorized to send messages from a given PRA.  In addition to the TCP attack given in section 6.2, a sufficiently resourceful attacker might be able to alter the IP routing structure to permit two-way communication using a specified IP address.  It would then be possible to execute an SMTP session that appears to come from an authorized address, without the need to guess TCP sequence numbers or transmit in the blind.

Such an attack might occur if the attacker obtained access to a router which participates in external BGP routing.  Such a router could advertise a more specific route to a rogue SMTP client, temporarily overriding the legitimate owner of the address.

-----
Attackers (typically spammers and phishers) are very good at adapting to countermeasures we put in place.  I have been rather concerned that authorization based on IP address will push them in the direction of these sorts of attacks on IP address space, which is a place where none of us would like to see them go.

-Jim