Re: [Asrg] DNSxL notation for IPv6?

On Sep 17, 2007, at 1:00 PM, Meng Weng Wong wrote:

> On Sep 17, 2007, at 12:40 PM, Matthias Leisi wrote:
>> Google was not helpful on this subject, so you may be able to help
>> to reveal the status of DNSxL notation for IPv6.
>>
>> What would make sense, and what not? What has already been tried?
>
> We need better protocols. DNS was never designed for this.

DNS was not designed to handle SPF either. SPF is a potential vector for dangerous reflected amplification attacks. It is not safe to attempt to return _all_ IP addresses for _all_ systems which may process a message for a domain. This list must be large and will entail many repeated transactions. SPF chains these transactions through the use of text macros. These macros can result in an unexpected attack that is not discerned by examination of messages or logs.

> I believe a number of next-generation protocols have been
> developed, or are being developed.

Eventually, something other than an IP address is needed for validation. IPv6 represents 72 quadrillion (10^15) networks containing 18,400 quadrillion identifiers. In addition, there will be shared gateways transitioning between IPv4 and IPv6 versions. Bad actors can overwhelming any attempt to track reputations validated by an IP address. In addition, there are hundreds of millions of 0wned systems which have access to provider's outbound servers. This is a problem that might scale when pushed to the edge.

> At my company we use a very simple protocol; it runs on UDP with
> retry and failover to TCP, just like DNS. The serialization codec
> is based on BitTorrent so it already has library support in many
> languages.

For many, spam levels exceed 99% of the overall email traffic. To cope, connection status must be concluded within a few transactions. Bifurcation of message and notification offers advantages in that Delivery Status Notifications can be avoided when post processing a message that is not desired, and removes the need for source validation. SPF was aimed at avoiding back scatter when processing is pipe-lined. This approach reduces email integrity, and imposes a dangerous level of up front transactions. Transfer-by-reference avoids most of these problems. For this to work, domain tasting MUST END! There MUST be a reasonable cost associated with the control of a domain.

Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related ietf.org Links asrg imrg Request more information about Pantek

> We'd be happy to opensource it and publish it as a standard for
> others to use.

SCTP offers a better solution for specialized reputation services, even when tunnelled on UDP. SCTP requires less connection set-up than TCP, avoids resource exhaustion attacks, source spoofing, and can handle thousands of simultaneous framed transactions per connection. SCTP also uses an error detection scheme suitable for GigE when this becomes available. : )

-Doug