[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security Expectations for Internet Service Providers to BCP

To: Bill Woodcock <woody@zocalo.net>
Subject: Re: Security Expectations for Internet Service Providers to BCP
From: Thomas Narten <narten@raleigh.ibm.com>
Date: Wed, 03 May 2000 14:46:51 -0400
Cc: Randy Bush <randy@psg.com>, grip-wg@TransSys.COM
Comment: grip-wg mailing list add/drop requests to Majordomo@TransSys.COM
In-reply-to: Message from Bill Woodcock <woody@zocalo.net> of "Wed, 03 May 2000 09:49:42 PDT." <Pine.SOL.3.96.1000503093459.18602B-100000@secure>

Bill,

>     > > 4.3 Ingress Filtering on Source Address
>     > 
>     > Should this document have some words about customer vs. ISP filtering,
>     > i.e., who does the filtering and when? (This relates to an earlier
>     > thread on the ingress filtering document itself). Perhaps not, given
>     > that this document's focus is the ISP side.

> This was an issue we discussed in Adelaide, I don't know if it's going to
> be incorporated or not...

The IESG is discussing this document, under the assumption the
document is done. If the WG still has an open issues, we probably
ought to know about it...

> Basically that all discussion of filtering contained the implicit
> but unstated assumption that directionality was relative to the ISP
> (okay but should be stated), and there was no discussion of the
> possiblity of customer-side filtering at all.  When the CPE is under
> the ISP's exclusive control, as is often the case, customer-side
> actually works really well.

My question was whether the document should have more text on these
two cases, since the relative ease of the filtering seems to be
dependent on the cases.

>     > >    The IP protocol allows for directed broadcast, the sending of a
>     > >    packet across the network to be broadcast on to a specific subnet.
>     > >    Very few practical uses for this feature exist, but several different
>     > >    security attacks (primarily Denial of Service attacks making use of
>     > >    the packet multiplication effect of the broadcast) use it.
>     > >    Therefore, routers connected to a broadcast medium MUST NOT be
>     > >    configured to allow directed broadcasts onto that medium [RFC2644].
>     > 
>     > MUST NOT seems too strong, and goes further than even 2644. Besides,
>     > is it ISPs who are the favorite targets here, as opposed to end end
>     > sites? I.e., end sites typically have more nodes attached to a given
>     > segment than an ISP might and it's the number of responding nodes that
>     > are the problem.

> No question, I think the goal here is to encourage ISPs to set a good
> example, even though they're not primary targets, and to understand the
> problem and pass an understanding and spirit of activism along to their
> customers, where the larger problem exists.

I'd be happy with a SHOULD NOT. MUST just seemed a bit absolute,
especially given the RFC 2644 did not deem it appropriate to go this
far. I.e., is the WG really sure it wants the MUST NOT language?

>     > >    An SMTP mail server is said to be running as an 'open' mail relay if
>     > >    it is willing to accept and relay to non-local destinations mail
>     > >    messages that do not originate locally (i.e., neither the originator
>     > >    nor the recipient address is local).  Such open relays are frequently
>     > >    used by 'spammers' to inject their Unsolicited Bulk E-mail (UBE)
>     > >    while hiding their identity.  There are only very limited
>     > >    circumstances in which an administrator can make a justifiable case
>     > >    for leaving a mail relay on the Internet completely open.
>     > 
>     > Actually, the above defintion seems slightly off. Isn't the real
>     > problem mail servers that don't properly authenticate the party
>     > sending the mail before accepting it? The "do not originate locally"
>     > description doesn't accurately describe the problem.

> Mmm, that assumes that [software and human] clients capable of doing
> authentication exist in meaningful numbers, which I haven't observed,
> perhaps through inattention. It also assumes that passwords would not be
> exploited, et cetera, which opens quite a hole.  I agree in principle, but
> without some practical sense of how feasible wide-scale authenticated
> smtp deployment and support are, I'd be hesitant to push for including it
> in a BCP.

I think I'm just a bit confused about wording. Section 5.4 talks about
message submission. What is the difference (technically) between
message submission and the following:

   An SMTP mail server is said to be running as an 'open' mail relay if
   it is willing to accept and relay to non-local destinations mail
   messages that do not originate locally (i.e., neither the originator
   nor the recipient address is local). 

I.e, what does "local" mean in the context of the Internet? Doing a
bit more looking, 2476 really does distinguish between relaying and
submission. Are these definitions genreally understood by the
community? A couple of sentences defining the terms before using
them might be in order.

Thoams

Follow-Ups:
- Re: Security Expectations for Internet Service Providers to BCP
  - From: tomk@neart.org
- Re: Security Expectations for Internet Service Providers to BCP
  - From: Bill Woodcock <woody@zocalo.net>

References:
- Re: Security Expectations for Internet Service Providers to BCP
  - From: Bill Woodcock <woody@zocalo.net>

Prev by Date: Re: Security Expectations for Internet Service Providers to BCP
Next by Date: Re: Security Expectations for Internet Service Providers to BCP
Previous by thread: Re: Security Expectations for Internet Service Providers to BCP
Next by thread: Re: Security Expectations for Internet Service Providers to BCP
Index(es):
- Date
- Thread