Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking.

Published byJerome Nicholson Modified over 9 years ago

Similar presentations

Presentation on theme: "DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking."— Presentation transcript:

1 DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking

2 2 2 D. Crocker DNS-based Authentication Techniques What we will cover…  Ein kleine email background  Evaluating anti-spam proposals:  Authentication proposals  Content vs. Operations  Permit Ops Admin to enforce accountability  Strengths and weaknesses  Current status  Ein kleine email background  Evaluating anti-spam proposals:  Authentication proposals  Content vs. Operations  Permit Ops Admin to enforce accountability  Strengths and weaknesses  Current status

3 3 3 D. Crocker DNS-based Authentication Techniques Setting the Context © 1975(!) Datamation This? Oh, this is the display for my electronic junk mail.

4 4 4 D. Crocker DNS-based Authentication Techniques Email has Become Complicated… Mail Handling Service (MHS) MTA MSA MTA MDA MDA MTA MDA MTA MTA MDAMSA MTA Mediator MUA MUA MUA MUA MUA MUA Bounce MUA: User Agent Mediator: User- level Relay MHS: Mail Handling (transit) Service MSA: Submission MTA: Transfer MDA: Delivery Bounce: Returns

5 5 5 D. Crocker DNS-based Authentication Techniques More Than One “Sender” MTAMTAMTAMTA MUA MDAMSAMDA Mailing List  MTA IP  rfc2821.HELO  Provider Network IP  rfc2822.Sender  rfc2822.From  rfc2821.MailFrom (Bounce/Return-Path, set by rfc2822.Sender)  rfc2821.Received  rfc2822.Sender MSA MTA Bounce

6 6 6 D. Crocker DNS-based Authentication Techniques Trust Boundaries AE 1 AE 5 AE 3 AE 2 AE 6 AE 4 AE 7 MUAMUA MUA MTA MSA MTA MDA Mediator MDAMSA MTA MUA MTA1 MDA AE: Administrative Environment

7 7 7 D. Crocker DNS-based Authentication Techniques Content analysis (eg, Bayesian) vs. Accountability, composed of: Content analysis (eg, Bayesian) vs. Accountability, composed of: AccountabilityAccountability Identity Who does this purport to be? (IP Address or Domain Name) Authentication Is it really them? Authorization What are they allowed to do?Assessment What do I think of the agency giving them that permission? (e.g., Reputation or Accreditation)

8 8 8 D. Crocker DNS-based Authentication Techniques Address Registration Schemes NameIDDNS RRPurpose Sender Policy Framework ( SPF ) schlitt-spf-classic  rfc2821.MailFrom  rfc2821.Helo SPF or TXT V=spf1 Register client MTA with MailFrom domain. “Owners authorize hosts to use their domain name in the MAIL FROM or HELO “ Sender-ID ( SID ) lyon-senderid-core  rfc2822.Sender  rfc2821.MailFrom SPF or TXT v=spf1, v=spf2 Register client MTA with Sender domain. “Does SMTP client have permission from referenced mailbox?” Certified Server Validation (CSV) mipassoc.org/csv  rfc2821.HeloA Register client MTA domain of ops. “Permits SMTP server to decide whether SMTP client is likely to produce well-behaved traffic”

9 9 9 D. Crocker DNS-based Authentication Techniques Signature-based Schemes NameIDDNS RRPurpose Domain Keys Identified Mail (DKIM) Mipassoc.org/dkim Independent (!) (usually tied to rfc2821.Sender) TXT Sign message+headers. “Domain owners may authorize hosts to use their domain name in the MAIL FROM or HELO “ Bounce Address Tag Validation (BATV) Mipassoc.org/batv Rfc2821.MailFromNone required Sign MailFrom “Defines an extensible mechanism for validating the MailFrom address”

10 10 D. Crocker DNS-based Authentication Techniques Strengths and Weaknesses SchemeStrengthsWeaknesses SPF  No client-side software  Limits transit sources, paths  Admin & DNS query overhead  RR complexity SID  No client-side software  Mostly same as SPF  IPR (Microsoft) CSV  Simple, direct, complete  No traction DKIM  Not sensitive to path, source  Software changes  Signature fragility BATV  Does not require interoperability  No traction  Some MLs break

11 11 D. Crocker DNS-based Authentication Techniques IETF Status SPF: SPF: WG dead due to lack of rough consensus; “Experimental” status stalled on appeal, due to RR version conflict with SID SID: SID: Same as SPF CSV: CSV: Stalled DKIM: DKIM: WG forming; delayed for “threat analysis” BATV: BATV: Stalled SPF: SPF: WG dead due to lack of rough consensus; “Experimental” status stalled on appeal, due to RR version conflict with SID SID: SID: Same as SPF CSV: CSV: Stalled DKIM: DKIM: WG forming; delayed for “threat analysis” BATV: BATV: Stalled

Download ppt "DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking."

Similar presentations

Fighting Abuse with Trust: Enhancing the paradigm Dave Crocker Trusted Domain Project (trusteddomain.org) Brandenburg InternetWorking (bbiw.net) FCC ~

Fighting Abuse with Trust: Enhancing the paradigm Dave Crocker Trusted Domain Project (trusteddomain.org) Brandenburg InternetWorking (bbiw.net) FCC ~
Proposal for a Pilot Project: Using DKIM to Create a Email Trust Channel Dave Crocker Brandenburg InternetWorking bbiw.net Dave Crocker Brandenburg InternetWorking.

Proposal for a Pilot Project: Using DKIM to Create a Trust Channel Dave Crocker Brandenburg InternetWorking bbiw.net Dave Crocker Brandenburg InternetWorking.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.

Draft-lemonade-imap-submit-01.txt “Forward without Download” Allow IMAP client to include previously- received message (or parts) in or as new message.
How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.

How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.
Email Protocols and Troubleshooting Brandon Checketts.

Protocols and Troubleshooting Brandon Checketts.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis

DNSOP WG IETF-67 SPF/Sender-ID DNS & Internet Threat Douglas Otis
D. CrockerIntroduction to BATV 1 MIPA Bounce Address Tag Validation (BATV) “Was use of the bounce address authorized?” D. Crocker Brandenburg InternetWorking.

D. CrockerIntroduction to BATV 1 MIPA Bounce Address Tag Validation (BATV) “Was use of the bounce address authorized?” D. Crocker Brandenburg InternetWorking.
DKIM WG IETF-67 DKIM Originating Signing Policy Douglas Otis

DKIM WG IETF-67 DKIM Originating Signing Policy Douglas Otis
© UPU 2014 – All rights reserved Mitigating online risk for postal e-services.

© UPU 2014 – All rights reserved Mitigating online risk for postal e-services.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.
System Aspects of Spam Control Architecture and Operations Issues IBM Academy 6 Apr 2005 Dave Crocker Brandenburg InternetWorking IBM.

System Aspects of Spam Control Architecture and Operations Issues IBM Academy 6 Apr 2005 Dave Crocker Brandenburg InternetWorking IBM.
1 Dr. David MacQuigg Research Associate Autonomic Computing Laboratory Autonomic Trust System – Verify Identity and Assess Reputation University of Arizona.

1 Dr. David MacQuigg Research Associate Autonomic Computing Laboratory Autonomic Trust System – Verify Identity and Assess Reputation University of Arizona.
1 Dr. David MacQuigg Research Associate Autonomic Computing Laboratory Email System – The most important application of computer networks University of.

1 Dr. David MacQuigg Research Associate Autonomic Computing Laboratory System – The most important application of computer networks University of.
Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.

Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.
Exchange server 2003. Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
1 Dr. David MacQuigg, President Open-mail.org Registry of Public Email Senders™ –A Secure DNS Database University of Arizona ECE 596c – Cyber Security.

1 Dr. David MacQuigg, President Open-mail.org Registry of Public Senders™ –A Secure DNS Database University of Arizona ECE 596c – Cyber Security.
Sender policy framework. Note: is a good reference source for SPFhttp://www.openspf.org/

Sender policy framework. Note: is a good reference source for SPFhttp://

Similar presentations

Ads by Google