On Jan 28, 2014, at 3:53 PM, Brian E Carpenter <[email protected]> wrote:
> On 29/01/2014 12:39, Scott O. Bradner wrote: >> I just remembered that we talked about setting a direction towards >> protection quite a while ago in RFC 1752 >> (the IPv6 recommendation) >> >> We feel that an improvement in the basic level of security in the >> Internet is vital to its continued success. Users must be able to >> assume that their exchanges are safe from tampering, diversion and >> exposure. Organizations that wish to use the Internet to conduct >> business must be able to have a high level of confidence in the >> identity of their correspondents and in the security of their >> communications. The goal is to provide strong protection as a matter >> of course throughout the Internet. >> >> Scott > > I also noticed that we said this in RFC 1958: > > 6.2 It is highly desirable that Internet carriers protect the privacy > and authenticity of all traffic, but this is not a requirement of the > architecture. Confidentiality and authentication are the > responsibility of end users and must be implemented in the protocols > used by the end users. Endpoints should not depend on the > confidentiality or integrity of the carriers. Carriers may choose to > provide some level of protection, but this is secondary to the > primary responsibility of the end users to protect themselves. > > Brian Dear Brian, Agreed. In addition, lack of SMTP client authentication is a primary reason IPv6 email remains difficult service to defend. Endpoint authentication is possible. StartTLS or TLS can exchange client and server certificates as a means to authenticate these endpoints while also protecting transactions from third-party monitoring. If only... DKIM authenticates signed portions of a message in a manner independent of the sender without ensuring proper delivery or trivial checks protecting against message spoofing. Nearly all email is exchanged as clear text where just the sender IP address offers a practical means to identify and block abuse. IPv6 email defense remains problematic, where attempts often employ various DNS derived authorization extensions which might even offer greater exposures. Reliance on IP addresses with insecure DNS exposes email to difficult to detect forms of router and DNS spoofing which may permit undetected MiTM attacks. Regards, Douglas Otis _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
