[Asrg] DNSxL notation for IPv6?

Douglas Otis dotis at mail-abuse.org
Mon Sep 17 19:20:03 EDT 2007 

On Sep 17, 2007, at 1:00 PM, Meng Weng Wong wrote:

> On Sep 17, 2007, at 12:40 PM, Matthias Leisi wrote:
>> Google was not helpful on this subject, so you may be able to help  
>> to reveal the status of DNSxL notation for IPv6.
>>
>> What would make sense, and what not? What has already been tried?
>
> We need better protocols.  DNS was never designed for this.

DNS was not designed to handle SPF either.  SPF is a potential vector  
for dangerous reflected amplification attacks.  It is not safe to  
attempt to return _all_ IP addresses for _all_ systems which may  
process a message for a domain.  This list must be large and will  
entail many repeated transactions.  SPF chains these transactions  
through the use of text macros.  These macros can result in an  
unexpected attack that is not discerned by examination of messages or  
logs.

> I believe a number of next-generation protocols have been  
> developed, or are being developed.

Eventually, something other than an IP address is needed for  
validation.  IPv6 represents 72 quadrillion (10^15) networks  
containing 18,400 quadrillion identifiers.  In addition, there will  
be shared gateways transitioning between IPv4 and IPv6 versions.  Bad  
actors can overwhelming any attempt to track reputations validated by  
an IP address.  In addition, there are hundreds of millions of 0wned  
systems which have access to provider's outbound servers.  This is a  
problem that might scale when pushed to the edge.

> At my company we use a very simple protocol; it runs on UDP with  
> retry and failover to TCP, just like DNS.  The serialization codec  
> is based on BitTorrent so it already has library support in many  
> languages.

For many, spam levels exceed 99% of the overall email traffic.  To  
cope, connection status must be concluded within a few transactions.   
Bifurcation of message and notification offers advantages in that  
Delivery Status Notifications can be avoided when post processing a  
message that is not desired, and removes the need for source  
validation.  SPF was aimed at avoiding back scatter when processing  
is pipe-lined.  This approach reduces email integrity, and imposes a  
dangerous level of up front transactions.  Transfer-by-reference  
avoids most of these problems.  For this to work, domain tasting MUST  
END!  There MUST be a reasonable cost associated with the control of  
a domain.

> We'd be happy to opensource it and publish it as a standard for  
> others to use.

SCTP offers a better solution for specialized reputation services,  
even when tunnelled on UDP.  SCTP requires less connection set-up  
than TCP, avoids resource exhaustion attacks, source spoofing, and  
can handle thousands of simultaneous framed transactions per  
connection.  SCTP also uses an error detection scheme suitable for  
GigE when this becomes available. : )

-Doug

More information about the Asrg mailing list