[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: working group last call on ISP draft



< As I promised in my message a couple of weeks ago, this is the
< announcement for working group last call on draft-ietf-grip-isp-03.txt.
< This call will last 2 weeks after which I'll submit it to the IESG for BCP
< consideration.

Correct me if I'm wrong, but as long as it refers to draft RFC's, won't it
get rejected until those drafts become published?

One of the sections which refers to drafts is Section 8.4 Message
Submission, which refers to draft-gellens-submit-05.txt and
draft-myers-smtp-auth-09.txt. This section recommends using the SUBMIT
protocol extended by the addition of the AUTH SMTP extension. Wouldn't it be
better to get Gellens to modify his draft so that it incorporates the AUTH
SMTP extension, and then make our recommendation based on the new version?

Based on the current text, I disagree with the statement "In this way the
SMTP port (25) can be restricted to local delivery only." The way Gellen's
draft is written, port 25 can still be used for traffic originating from a
local user, as well as relay traffic. The purpose of Myers' draft is to add
authentication to locally-originated mail so that you know who sent it,
without affecting any other sort of port 25 traffic. In other words, Myers'
draft is what adds a facility to enforce a security policy to either port 25
or port 587.

In fact, isn't it really the authentication that we're looking for, whether
it's implemented in either SUBMIT or SMTP? So either mechanism can be
recommended, as long as authentication is used as well.

I think section 8.4 should be rewritten as follows:

    Message submission should be done through one of three mechanisms: the
    authenticated MAIL SUBMIT protocol (port 587), the authenticated SMTP
    protocol (port 25), or the POP3 XTND XMIT extension (port 110).

    The MAIL SUBMIT protocol, described in [draft-gellens-submit-05.txt]
    with the addition of authentication as described in
    [draft-myers-smtp-auth-09.txt], and the SMTP authentication extension,
    described in [draft-myers-smtp-auth-09.txt], facilitate the enforcement
    of a security policy.

    These two measures not only protect the ISP from serving as a UBE
    injection point, but also help in tracking accountability for message
    submission in the case where a customer sends UBE.  Furthermore, using
    the authentication has additional advantages over IP address-based
    submission restrictions in that it gives the ISP's customers the
    flexibility of being able to submit mail even when not connected through
    the ISP's network (for example, while at work), is more resistant to
    spoofing, and can be upgraded to newer authentication mechanisms as they
    become available.

    The (undocumented) XTND XMIT POP3 extension which allows clients to send
    mail through the POP3 session rather than using SMTP may also be
    considered.  It also provides a way to support mobile users at sites
    where open relaying is disabled, and has the benefit of an authenticated
    connection and a better audit trail.

On a separate note, I started writing an informational RFC describing the
XTND XMIT protocol. Should I finish writing it and submit it to the group?
That way, we can remove the "(undocumented)" from the above paragraph.

					Tony Hansen
			      tony@att.com, tony@attmail.com