Re: Sufficient email authentication requirements for IPv6

I don't have the same overall feeling that its less reliable. I believe it is 100% reliable when it comes to the "good" communications, the serious stuff, the work, business communications. Those get through and more importantly, above all, when there is a problem, good people complain, any em

Re: Sufficient email authentication requirements for IPv6

Somebody point me to see that the date of the post in circleid is April 1st ... :) -as On 4/11/13 11:17 AM, Arturo Servin wrote: > > > On 4/10/13 7:55 PM, John Levine wrote: There seems to be a faction that feel that 15 years ago someone once blacklisted them and caused them

Re: Sufficient email authentication requirements for IPv6

On 4/10/13 7:55 PM, John Levine wrote: >>> There seems to be a faction that feel that 15 years ago someone once >>> blacklisted them and caused them some inconvenience, therefore all >>> DNSBLs suck forever. I could say similar things about buggy PC >>> implementations of TCP/IP, but I think a f

Re: Sufficient email authentication requirements for IPv6

On 04/10/2013 07:14 PM, John R Levine wrote: Like I said, things have changed since 1996. Indeed they have. Email is much less reliable now than it was then. Agreed. But it's not the DNSBLs, it's all the other stuff, notably heuristic content filters, that we have to do to deal with the 9

Re: Sufficient email authentication requirements for IPv6

Like I said, things have changed since 1996. Indeed they have. Email is much less reliable now than it was then. Agreed. But it's not the DNSBLs, it's all the other stuff, notably heuristic content filters, that we have to do to deal with the 95% of mail that is spam these days. I track

Re: Sufficient email authentication requirements for IPv6

On 04/10/2013 06:55 PM, John Levine wrote: There seems to be a faction that feel that 15 years ago someone once blacklisted them and caused them some inconvenience, therefore all DNSBLs suck forever. I could say similar things about buggy PC implementations of TCP/IP, but I think a few things ha

Re: Sufficient email authentication requirements for IPv6

>> There seems to be a faction that feel that 15 years ago someone once >> blacklisted them and caused them some inconvenience, therefore all >> DNSBLs suck forever. I could say similar things about buggy PC >> implementations of TCP/IP, but I think a few things have changed since >> then, in both

Re: Sufficient email authentication requirements for IPv6

On Apr 10, 2013, at 6:26 AM, Keith Moore wrote: > On 04/09/2013 08:07 PM, John Levine wrote: >>> Quoting Nathaniel Borenstein [1]: >>> >>> "One man's blacklist is another's denial-of-service attack." >>> >>> Email reputation services have a bad reputation. >> They have a good enough reputat

Re: Sufficient email authentication requirements for IPv6

On 04/09/2013 08:07 PM, John Levine wrote: Quoting Nathaniel Borenstein [1]: "One man's blacklist is another's denial-of-service attack." Email reputation services have a bad reputation. They have a good enough reputation that every non-trivial mail system in the world uses them. They're

Re: Sufficient email authentication requirements for IPv6

Hi Doug, At 12:22 09-04-2013, Douglas Otis wrote: In full agreement with Nathaniel. Avoiding unfair collateral blocking is why source domain authentication, not authorization, is vital. I doubt that what's mentioned in the subject line will not face strong resistance within an IETF context.

Re: Sufficient email authentication requirements for IPv6

>Quoting Nathaniel Borenstein [1]: > > "One man's blacklist is another's denial-of-service attack." > >Email reputation services have a bad reputation. They have a good enough reputation that every non-trivial mail system in the world uses them. They're not all the same, and a Darwinian proces

Re: Sufficient email authentication requirements for IPv6

On Apr 9, 2013, at 11:28 AM, SM wrote: > Hi Keith, > At 09:56 09-04-2013, Keith Moore wrote: >> You have it backwards. Internet email has long been under DDoS attack from >> email address reputation services. > > Quoting Nathaniel Borenstein [1]: > > "One man's blacklist is another's denia

Re: Sufficient email authentication requirements for IPv6

Hi Keith, At 09:56 09-04-2013, Keith Moore wrote: You have it backwards. Internet email has long been under DDoS attack from email address reputation services. Quoting Nathaniel Borenstein [1]: "One man's blacklist is another's denial-of-service attack." Email reputation services have a b

Re: Sufficient email authentication requirements for IPv6

On Apr 8, 2013, at 10:27 PM, joel jaeggli wrote: > On 4/8/13 9:18 PM, Douglas Otis wrote: >> >> On Mar 31, 2013, at 1:23 AM, Doug Barton > > wrote: >> >>> On 03/30/2013 11:26 PM, Christian Huitema wrote: > IPv6 makes publishing IP address reputations impractical

Re: Sufficient email authentication requirements for IPv6

On 03/29/2013 01:28 PM, Douglas Otis wrote: > The Internet is under a DDoS attack specifically against an email address reputation service. You have it backwards. Internet email has long been under DDoS attack from email address reputation services. Keith

Re: Sufficient email authentication requirements for IPv6

On 4/8/13 9:18 PM, Douglas Otis wrote: On Mar 31, 2013, at 1:23 AM, Doug Barton > wrote: On 03/30/2013 11:26 PM, Christian Huitema wrote: IPv6 makes publishing IP address reputations impractical. Since IP address reputation has been a primary method for identifyi

Re: Sufficient email authentication requirements for IPv6

On Mar 31, 2013, at 1:23 AM, Doug Barton wrote: > On 03/30/2013 11:26 PM, Christian Huitema wrote: >>> IPv6 makes publishing IP address reputations impractical. Since IP address >>> reputation has been a primary method for identifying abusive sources with >>> IPv4, imposing ineffective and fl

Re: Sufficient email authentication requirements for IPv6

,Michael" ; "John C Klensin" ; "Walker,Severin" ; "Rosenwald,Jordan" ; "John Levine" Sent: Wednesday, April 03, 2013 8:01 PM Subject: Re: Sufficient email authentication requirements for IPv6 On Apr 3, 2013, at 6:16 PM, Dean Willis wrote: I've

Re: Sufficient email authentication requirements for IPv6

On 04/03/2013 05:01 PM, Ted Lemon wrote: On Apr 3, 2013, at 6:16 PM, Dean Willis wrote: I've tried to imagine using Facebook-like system for IETF work, and it is strangely compelling ... It would, however, be nice if it were peer-to-peer rather than monolithic. XMPP (aka Jabber) already ha

Re: Sufficient email authentication requirements for IPv6

On Apr 3, 2013, at 6:16 PM, Dean Willis wrote: > I've tried to imagine using Facebook-like system for IETF work, and it is > strangely compelling ... It would, however, be nice if it were peer-to-peer rather than monolithic.

Re: Sufficient email authentication requirements for IPv6

On Mar 30, 2013, at 10:43 AM, John C Klensin wrote: > > > It sometimes feels as if anti-spam efforts are trending in the > direction of its being acceptable to accidentally discard a few > dozen legitimate messages if doing so allows blocking a few > thousand unsolicited/undesired ones. I hop

Re: Sufficient email authentication requirements for IPv6

On Mar 30, 2013, at 11:26 PM, Christian Huitema wrote: >> IPv6 makes publishing IP address reputations impractical. Since IP address >> reputation has been a primary method for identifying abusive sources with >> IPv4, imposing ineffective and flaky > replacement strategies has an effect >>

Re: Sufficient email authentication requirements for IPv6

Good points Dave. However, I would suggest that having tighter controls on the transport practice, e.g.; SMTP handshaking compliancy, following and honoring exclusive domain published policies, does help minimize support cost. -- HLS On 3/30/2013 7:46 PM, Dave Crocker wrote: On 3/30/2013 7

Re: Sufficient email authentication requirements for IPv6

>In practice, the /64 prefix of the IPv6 address has very much the same >"administrative" properties as the /32 value of the IPv4 address. You would hope so, but I know hosting places that give their customers a /128 in a shared /64. They claim that their routers make this hard to fix. I don't k

Re: Sufficient email authentication requirements for IPv6

On 03/30/2013 11:26 PM, Christian Huitema wrote: IPv6 makes publishing IP address reputations impractical. Since IP address reputation has been a primary method for identifying abusive sources with IPv4, imposing ineffective and flaky > replacement strategies has an effect of deterring IPv6 u

RE: Sufficient email authentication requirements for IPv6

> IPv6 makes publishing IP address reputations impractical.  Since IP address > reputation has been a primary method for identifying abusive sources with > IPv4, imposing ineffective and flaky > replacement strategies has an effect > of deterring IPv6 use. In practice, the /64 prefix of the IP

Re: Sufficient email authentication requirements for IPv6

At 07:57 30-03-2013, Livingood, Jason wrote: Mail acceptance for IPv4 worked inclusively - receivers accept unless IP reputation or other factors failed. IMHO with IPv6 that model may need to be turned around to an exclusive one - so receivers will not accept mail unless certain factors are met (

Re: Sufficient email authentication requirements for IPv6

On 3/30/2013 7:57 AM, Livingood, Jason wrote: Mail acceptance for IPv4 worked inclusively - receivers accept unless IP reputation or other factors failed. IMHO with IPv6 that model may need to be turned around to an exclusive one - so receivers will not accept mail unless certain factors are met

Re: Sufficient email authentication requirements for IPv6

Dear Jason, On Mar 30, 2013, at 7:57 AM, "Livingood, Jason" wrote: > On 3/29/13 12:58 PM, "John Levine" wrote: > > >>> As a result, it is questionable whether any IPv6 address-based >>> reputation system can be successful (at least those based on voluntary >>> principles.) >> >> It can prob

Re: Sufficient email authentication requirements for IPv6

--On Saturday, March 30, 2013 14:57 + "Livingood, Jason" wrote: >... > Mail acceptance for IPv4 worked inclusively - receivers accept > unless IP reputation or other factors failed. IMHO with IPv6 > that model may need to be turned around to an exclusive one - > so receivers will not accept

Re: Sufficient email authentication requirements for IPv6

On 3/29/13 12:58 PM, "John Levine" wrote: >>As a result, it is questionable whether any IPv6 address-based >>reputation system can be successful (at least those based on voluntary >>principles.) > >It can probably work for whitelisting well behaved senders, give or take >the DNS cache busting is

Re: Sufficient email authentication requirements for IPv6

Hi Doug, This sounds urgent. I am not seeing this urgency, but maybe we just have it under control. Another side question Doug, is this an application-level based filtering? Can one be authenticated lets say for SMTP but not WEB? Is the filtering applied across all protocols? Is it the IP

Re: Sufficient email authentication requirements for IPv6

On 03/28/2013 08:29 PM, Douglas Otis wrote: IPv6 makes publishing IP address reputations impractical. For individual addresses, sure. But one of the (if not *the*) primary benefits of v4 reputation is the test of whether or not the address is in a botnet range (aka, ranges assigned to end-use

Re: Sufficient email authentication requirements for IPv6

On Mar 29, 2013, at 9:58 AM, "John Levine" wrote: >> As a result, it is questionable whether any IPv6 address-based reputation >> system can be successful (at least those based on voluntary principles.) > > It can probably work for whitelisting well behaved senders, give or take > the DNS cach

Re: Sufficient email authentication requirements for IPv6

>As a result, it is questionable whether any IPv6 address-based reputation >system can be successful (at least those based on voluntary principles.) It can probably work for whitelisting well behaved senders, give or take the DNS cache busting issues of IPv6 per-message lookups. Since a bad guy

Re: Sufficient email authentication requirements for IPv6

On Fri, 29 Mar 2013, John Curran wrote: This approach works fine if one presumes that the problem is always just the customer (i.e. their ISP is actively interested in helping solve the problem.) For ISPs who are not as interested (or may have an actual motivation to hinder resolution of the

Re: Sufficient email authentication requirements for IPv6

On Mar 29, 2013, at 4:13 AM, Mikael Abrahamsson wrote: > My belief is that IP address reputation has always been flakey, it's just > vastly more so with IPv6. > > What we need is a way to identify a "entity" subnet size. This work is > probably wasted on IPv4, but it's definitely needed for IP

Re: Sufficient email authentication requirements for IPv6

On Thu, 28 Mar 2013, Douglas Otis wrote: IPv6 makes publishing IP address reputations impractical. Since IP address reputation has been a primary method for identifying abusive sources with IPv4, imposing ineffective and flaky replacement strategies has an effect of deterring IPv6 use. My b

Re: Sufficient email authentication requirements for IPv6

Hello Hector, On Mar 28, 2013, at 3:53 PM, Hector Santos wrote: > Hi Doug, > > On 3/28/2013 2:13 PM, Douglas Otis wrote: >> Dear IETF, >> >> In response to various strategies to reject IPv6 email lacking either DKIM >> or SPF, the non-negotiated approach suggests far greater review is needed.

Re: Sufficient email authentication requirements for IPv6

Hi Doug, On 3/28/2013 2:13 PM, Douglas Otis wrote: Dear IETF, In response to various strategies to reject IPv6 email lacking either DKIM or SPF, the non-negotiated approach suggests far greater review is needed. Whats the difference with IPv6 connections? Should it matter? Does it matter?

Sufficient email authentication requirements for IPv6

Dear IETF, In response to various strategies to reject IPv6 email lacking either DKIM or SPF, the non-negotiated approach suggests far greater review is needed. Here is a paper illustrating problems with DKIM. https://www.dropbox.com/sh/jh4z407q45qc8dd/MlcUTUFUf4/Domains%20as%20a%20basis%20for%20