ietf-wg-dmarc / dmarc-draftissues

1 stars 0 forks source link

DMARC reporting requires explilct knowledge of all valid sending IP addresses #101

Closed ietf-svn-bot closed 3 years ago

ietf-svn-bot commented 3 years ago

resolution_wontfix type_defect | by mike@mtcc.com


In order differentiate between an attacker sending from an unapproved IP address and an approved but not yet validated source, the receiver of reports needs to have explicit knowledge of all valid IP addresses in use, including those of outsourced email for example. This is not spelled out in the current draft and should be. Given the current DMARC reporting architecture not knowing all valid IP addresses could lead to an attacker spoofing messages to large providers to make it seem as if approved but unsigned traffic is still at large. It should be made plain that this is part of the task of getting to a p=reject policy.

there is a security aspect to this as well as a deployment aspect.


Issue migrated from trac:101 at 2022-01-24 16:53:15 +0000

ietf-svn-bot commented 3 years ago

@todd.herr@valimail.com changed component from dmarc-bis to dmarc-aggregate-reporting

ietf-svn-bot commented 3 years ago

@todd.herr@valimail.com commented


Hatless...

I disagree with the premise of this ticket, and assert that not only does DMARC reporting not require explicit knowledge of all valid sending IP addresses, DMARC reporting instead provides a facility by which it reveals to the domain owner previously-unknown valid IP addresses, leading to a full understanding of the IP addresses in use to send mail for the domain.

ietf-svn-bot commented 3 years ago

@vesely@tana.it commented


Attacker in the above description is used with two meanings:

ietf-svn-bot commented 3 years ago

@vesely@tana.it changed _comment0 which not transferred by tractive

ietf-svn-bot commented 3 years ago

@johnl@taugh.com changed status from new to closed

ietf-svn-bot commented 3 years ago

@johnl@taugh.com set resolution to wontfix

ietf-svn-bot commented 3 years ago

@johnl@taugh.com commented


This ticket misunderstands how DMARC reporting works.