DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D....
-
Upload
jerome-nicholson -
Category
Documents
-
view
219 -
download
0
Transcript of DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D....
DNS-based Message-Transit DNS-based Message-Transit Authentication TechniquesAuthentication Techniques
DNS-based Message-Transit DNS-based Message-Transit Authentication TechniquesAuthentication Techniques
D. CrockerD. CrockerBrandenburg InternetWorkingBrandenburg InternetWorking<http://bbiw.net/current.html#spam>
D. CrockerD. CrockerBrandenburg InternetWorkingBrandenburg InternetWorking<http://bbiw.net/current.html#spam>
D. Crocker DNS-based Authentication Techniques22
What we will cover…What we will cover…What we will cover…What we will cover…
Ein kleine email background Evaluating anti-spam proposals:
<http://craphound.com/spamsolutions.txt>
Authentication proposals Content vs. Operations Permit Ops Admin to enforce accountability
Strengths and weaknesses
Current status
Ein kleine email background Evaluating anti-spam proposals:
<http://craphound.com/spamsolutions.txt>
Authentication proposals Content vs. Operations Permit Ops Admin to enforce accountability
Strengths and weaknesses
Current status
D. Crocker DNS-based Authentication Techniques33
Setting the ContextSetting the ContextSetting the ContextSetting the Context
© © 1975(!)1975(!)DatamationDatamation
This? Oh, this is the display for my electronic junk mail.
D. Crocker DNS-based Authentication Techniques44
Email has Become Email has Become Complicated…Complicated…Email has Become Email has Become Complicated…Complicated…
Mail Handling Service (MHS)
MTAMTA
MSAMSA
MTAMTA
MDAMDA MDAMDA
MTAMTA
MDAMDA
MTAMTA
MTAMTA
MDAMDAMSAMSA
MTAMTA
MediatorMediator
MUAMUA
MUAMUA
MUAMUA
MUAMUA
MUAMUA
MUAMUA
BounceBounce
MUA: User Agent
Mediator: User-level Relay
MHS: Mail Handling (transit) Service
MSA: Submission
MTA: Transfer
MDA: Delivery
Bounce: Returns
D. Crocker DNS-based Authentication Techniques55
More Than One “Sender”More Than One “Sender”More Than One “Sender”More Than One “Sender”
MTAMTA MTAMTAMTAMTA MTAMTA
MUAMUA MUAMUA
MDAMDAMSAMSA MDAMDA
MailingList
MailingList
MTA IP MTA IP
rfc2821.HELOrfc2821.HELO rfc2821.HELOrfc2821.HELO
Provider Network IP Provider Network IP
rfc2822.Senderrfc2822.Sender rfc2822.Senderrfc2822.Sender
rfc2822.From rfc2822.From
rfc2821.MailFrom (Bounce/Return-Path, set by rfc2822.Sender) rfc2821.MailFrom (Bounce/Return-Path, set by rfc2822.Sender)
rfc2821.Received rfc2821.Received
rfc2822.Sender rfc2822.Sender
MSAMSA
MTAMTA
BounceBounce
D. Crocker DNS-based Authentication Techniques66
Trust BoundariesTrust BoundariesTrust BoundariesTrust Boundaries
AEAE11
AEAE55AEAE33AEAE22
AEAE66AEAE44
AEAE77
MUAMUA MUAMUAMUAMUA
MTA
MSA
MTA
MDAMDA
MediatorMediator
MTA
MDA MSA
MTA
MUAMUA
MTA1
MDA
AE: Administrative Environment
D. Crocker DNS-based Authentication Techniques77
Content analysis (eg, Bayesian)vs.
Accountability, composed of:
Content analysis (eg, Bayesian)vs.
Accountability, composed of:
AccountabilityAccountabilityAccountabilityAccountability
IdentityIdentity
Who does this purport to be?
(IP Address or Domain Name)
AuthenticationAuthentication
Is it really them?
AuthorizationAuthorization
What are they allowed to do?
AssessmentAssessment
What do I think of the agency giving them that permission?
(e.g., Reputation or Accreditation)
D. Crocker DNS-based Authentication Techniques88
Address Registration Address Registration SchemesSchemesAddress Registration Address Registration SchemesSchemes
Name IDDNS RR
Purpose
Sender Policy Framework (SPF)
schlitt-spf-classic
rfc2821.MailFrom rfc2821.Helo
SPF or TXT
V=spf1
Register client MTA with MailFrom domain.“Owners authorize hosts to use their domain name in the MAIL FROM or HELO “
Sender-ID (SID)
lyon-senderid-core
rfc2822.Sender rfc2821.MailFrom
SPF or TXT
v=spf1, v=spf2
Register client MTA with Sender domain.“Does SMTP client have permission from referenced mailbox?”
Certified Server Validation (CSV)
mipassoc.org/csv
rfc2821.Helo A Register client MTA domain of ops.“Permits SMTP server to decide whether SMTP client is likely to produce well-behaved traffic”
D. Crocker DNS-based Authentication Techniques99
Signature-based SchemesSignature-based SchemesSignature-based SchemesSignature-based Schemes
Name ID DNS RR Purpose
Domain Keys Identified Mail (DKIM)
Mipassoc.org/dkim
Independent (!)
(usually tied to rfc2821.Sender)
TXT Sign message+headers.“Domain owners may authorize hosts to use their domain name in the MAIL FROM or HELO “
Bounce Address Tag Validation (BATV)
Mipassoc.org/batv
Rfc2821.MailFrom None required Sign MailFrom“Defines an extensible mechanism for validating the MailFrom address”
D. Crocker DNS-based Authentication Techniques1010
Strengths and WeaknessesStrengths and WeaknessesStrengths and WeaknessesStrengths and Weaknesses
Scheme Strengths Weaknesses
SPF No client-side software Limits transit sources, paths Admin & DNS query overhead RR complexity
SID No client-side software Mostly same as SPF IPR (Microsoft)
CSV Simple, direct, complete No traction
DKIM Not sensitive to path, source
Software changes Signature fragility
BATV Does not require interoperability
No traction Some MLs break
D. Crocker DNS-based Authentication Techniques1111
IETF StatusIETF StatusIETF StatusIETF Status
SPF:SPF: WG dead due to lack of rough consensus; “Experimental” status stalled on appeal, due to RR version conflict with SID
SID:SID: Same as SPF
CSV:CSV: Stalled
DKIM:DKIM: WG forming; delayed for “threat analysis”
BATV:BATV: Stalled
SPF:SPF: WG dead due to lack of rough consensus; “Experimental” status stalled on appeal, due to RR version conflict with SID
SID:SID: Same as SPF
CSV:CSV: Stalled
DKIM:DKIM: WG forming; delayed for “threat analysis”
BATV:BATV: Stalled