[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trouble with Sender Authentication

To: Frank Ellermann <nobody@xxxxxxxxxxxxxxxxx>
Subject: Re: Trouble with Sender Authentication
From: Douglas Otis <dotis@xxxxxxxxxxxxxx>
Date: Tue, 7 Nov 2006 15:01:48 -0800
Cc: ietf-mxcomp@xxxxxxx
In-reply-to: <4550E1A0.E20@xxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-mxcomp/mail-archive/>
List-id: <ietf-mxcomp.imc.org>
List-unsubscribe: <mailto:ietf-mxcomp-request@imc.org?body=unsubscribe>
References: <200611021612.13627.ietf-mxcomp.lists@xxxxxxxxxxxxx> <58CA41E0-1708-41A8-BE6B-7EBB343479A9@xxxxxxxxxxxxxx> <x4zmb9fg2s.fsf@xxxxxxxxxxxxxxxxxxxx> <CA634898-FCE8-4787-B860-669C685272D0@xxxxxxxxxxxxxx> <x4ac34dybu.fsf@xxxxxxxxxxxxxxxxxxxx> <B4EFD505-346E-4C0E-BF4A-D9CBAB528BD5@xxxxxxxxxxxxxx> <4550E1A0.E20@xxxxxxxxxxxxxxxxx>
Sender: owner-ietf-mxcomp@xxxxxxxxxxxx



On Nov 7, 2006, at 11:42 AM, Frank Ellermann wrote:

Douglas Otis wrote:
Promotion of SPF effectively thwarts any consideration ofalternatives on spf- discuss.
You'll tell us when you've found a better way to partition all IPsinto three sets PASS, FAIL, or DUNNO (with as many variants ofDUNNO as you need).

The RFC3123 permits more than 50 CIDRs per transaction when addressregistration is desired. A better choice would be to authenticatethe EHLO as an address literal or host name. The EHLO in any formcan then be associated with an originating domain. Any number offlags may then indicate the nature of the association and the levelof assurance offered. With this technique only _one_ smalltransaction is made against a message targeted resource and is muchsafer from a DDoS concern.


For examples of such a scheme see:
http://www.sonic.net/~dougotis/id/draft-otis-dkim-dosp-02.html

Nice to see that you agree that your data doesn't back up yourclaims, but even your 64:1 number is bogus.
How so?
Because 100/11 is a bit more than 9, and 100/12 is a bit less than 9.

There is about 640 bytes of traffic for each of the 100 transactionsrepresenting 64,000 bytes of generated traffic. When a message isabout 1000 bytes, the ratio of SPF traffic per message is then 64:1or 64K bytes of DNS traffic per message.

a gift given an attacker by those executing SPF script.


The stuff is called "SPF policy" or "SPF record", not "SPF script".

A possible >6K bytes of SPF script (a series of instructions carriedout in a specific order) must be executed to obtain an answer. Theanswer might involve the comparison of multi faceted PTRtransactions, two stage MX transactions within CDIRs, and/or directaddresses transactions within CIDRs at macro generated locationscompared against SMTP client addresses. There is also checks for anyanswer from address transactions at macro constructed locations. Noanswer is assured without executing the instructed transactions andapplying the indicated Boolean logic. This script also containsincludes, redirects and default statements. SPF is the epitome of ascript. In contrast, APL does not involve subsequent instructedtransactions to obtain an answer and would not be described as a script.


-Doug

References:
- Trouble with Sender Authentication
  - From: K.J. Petrie
- Re: Trouble with Sender Authentication
  - From: Douglas Otis
- Re: Trouble with Sender Authentication
  - From: wayne
- Re: Trouble with Sender Authentication
  - From: Douglas Otis
- Re: Trouble with Sender Authentication
  - From: wayne
- Re: Trouble with Sender Authentication
  - From: Douglas Otis
- Re: Trouble with Sender Authentication
  - From: Frank Ellermann

Prev by Date: Re: Trouble with Sender Authentication
Next by Date: Re: Trouble with Sender Authentication
Previous by thread: Re: Trouble with Sender Authentication
Next by thread: Re: Trouble with Sender Authentication
Index(es):
- Date
- Thread