Internet DRAFT - draft-klensin-rfc2821-security

draft-klensin-rfc2821-security







Network Working Group                                         J. Klensin
Internet-Draft                                              July 8, 2005
Expires: January 9, 2006


             Security Considerations Issues for RFC 2821bis
                 draft-klensin-rfc2821-security-00.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 9, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   RFC 3552 is a useful analysis and presentation of recommendations for
   Security Considerations Sections.  Part of its content is an
   extensive analysis of, and proposed replacement for, the Security
   Considerations section of RFC 2821.  In important respects, the
   proposed replacement text may not be appropriate for this type of
   document.  It also raises some specific issues that may not be
   consistent with the consensus community of email experts about best
   practice.  Given the way it is worded, and the fact that it was
   published as a BCP document, it is plausible to consider it as an



Klensin                  Expires January 9, 2006                [Page 1]

Internet-Draft             RFC3552 SMTP Issues                 July 2005


   Update to RFC 2821 and to consider its "example" to be normative for
   any future revision of RFC 2821 such as the work that has been
   started in [7].  Those perceptions should be definitively evaluated
   and corrected if necessary.  This document is a first step in doing
   so and also makes some specific additional suggestions about the
   handling of Security Considerations material.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Practical Application of RFC 3552  . . . . . . . . . . . . . .  4
   3.  Mail Principles and Security . . . . . . . . . . . . . . . . .  4
   4.  Section by Section Analysis of the Replacement Section . . . .  5
     4.1   Section 6.1.1.1: Discussion of IDENT . . . . . . . . . . .  5
     4.2   Section 6.1.1.3: Security value of disabling VRFY  . . . .  6
     4.3   Section 6.1.1.8: Spam  . . . . . . . . . . . . . . . . . .  6
     4.4   Section 6.1.2: Communications Security . . . . . . . . . .  7
     4.5   6.1.3: Denial of Service . . . . . . . . . . . . . . . . .  7
     4.6   Additional Material for 2821bis  . . . . . . . . . . . . .  7
   5.  Conclusion and Recommendations . . . . . . . . . . . . . . . .  7
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
   7.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  8
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  9
     8.1   Normative References . . . . . . . . . . . . . . . . . . .  9
     8.2   Informative References . . . . . . . . . . . . . . . . . .  9
       Author's Address . . . . . . . . . . . . . . . . . . . . . . .  9
       Intellectual Property and Copyright Statements . . . . . . . . 10
























Klensin                  Expires January 9, 2006                [Page 2]

Internet-Draft             RFC3552 SMTP Issues                 July 2005


1.  Introduction

   RFC 3552 [2] is a useful analysis and presentation of recommendations
   for Security Considerations Sections.  Part of its content is an
   extensive analysis of, and proposed replacement for, the Security
   Considerations section of RFC 2821 [1] (SMTP).  In important
   respects, the proposed replacement text may not be appropriate for
   the type of document that RFC 2821 represents, namely a unified
   description and collection of clarifications to a widely-deployed and
   very established protocol.  This document suggests that RFC 3552
   should have made a distinction between the intent of Security
   Considerations sections for a new protocol at or before early stages
   of deployment and a mature and widely deployed protocol.  For early-
   stage protocols, the activity of constructing a Security
   Considerations section and working through the issues involved may
   result in significant improvements to the protocol itself.  By
   contrast, for a protocol as well-established and widely deployed as
   SMTP, the security issues are, to paraphrase a discussion with one of
   RFC 3552's authors, essentially what they are: the construction and
   review of a Security Considerations section is unlikely to have any
   significant impact on how the protocol is designed or operates,
   although a security analysis may be helpful in making operational
   decisions.

   The proposed replacement text may also not reflect consensus of the
   community of email experts about best practice, especially in the
   area of address-based blacklist filtering for spam.  That document
   can be interpreted as suggesting that it is reasonable to expect that
   a document specifying email transport should be required to contain
   an analysis of at least a very large fraction, and perhaps even a
   comprehensive listing, of the ways in which email could be attacked
   or misused, or how one might (reasonably or otherwise) defend against
   those attacks.

   This author believes that level of analysis would be extremely
   useful.  Considerable analysis is, however, required.  Moveover, the
   security environment for Internet applications often evolves much
   more rapidly than the applications, especially the more mature ones,
   do themselves.  This combination suggests that, at least for mature
   and widely-deployed protocols, the analysis is better prepared
   separately and placed in a document separate from the protocol
   specification itself.

   Put differently, there is unquestionably a place for complete
   security analyses of a protocol and its applications and
   implementations.  Such work is certainly valuable when it can be
   produced, but expecting such an analysis, or even a near
   approximation to it, as part of a "security considerations" section



Klensin                  Expires January 9, 2006                [Page 3]

Internet-Draft             RFC3552 SMTP Issues                 July 2005


   -- the adequate completion of which is prerequisite to approval and
   publication of any document that comes through the IETF process-- is
   probably unwise when the base document reflects clarifications and
   document unification for a mature protocol.  A statement of known
   risks in the design and use of the protocol --or even a statement
   that the protocol is sufficiently insecure that it should be used
   only in a highly-protected and isolated environment -- is certainly
   reasonable and appropriate.  But a normative presentation and
   analysis of suggestions of some subset of ways to resist certain
   misuses of the protocol by end users might reasonably be the subject
   of other documents, and even standards, but it is inappropriate to
   require it as part of the "security considerations" section of the
   base protocol.

   Given the way RFC3552 is worded, and the fact that it was published
   as a BCP document, it is plausible to consider it as an update to RFC
   2821 (i.e., replacing the Security Considerations section of that
   document) and to consider its "example" to be normative for any
   future revision of RFC 2821.  Those perceptions should be
   definitively evaluated and corrected if necessary.  This document is
   a first step in doing so and also makes some specific additional
   suggestions about the status, in practice, of RFC 3552 and the
   handling of Security Considerations material for mature and deployed
   standards.

2.  Practical Application of RFC 3552

   The author has extracted a convenience sample of a dozen,
   specifications whose principal focus was not security, approved as
   Proposed Standards in the two years since RFC 3552 was published.  If
   the documents examined were representative, they would suggest that
   RFC 3552 has been generally ignored, with few if any of those
   documents meeting all of its requirements for identification of
   possible threats and discussion of proposed threat-protection
   mechanisms that would not work.  Perhaps it would be reasonable to
   conclude from this that it should be ignored in constructing the
   replacement for RFC 2821 as well.  However, since RFC 2821 is singled
   out as an example, that seems unwise and this document is supplied to
   initiate a specific discussion in the context of unfolding work up an
   update to RFC 2821 [7].  (Cf. Section 5.)

3.  Mail Principles and Security

   It is a long-standing principle of email on the Internet and
   elsewhere, and, indeed, of most postal mail systems, that the mail
   should, if at all possible, go through and that, if it does not go
   through, the failure should be indicated through established and
   standardized mechanisms.  As RFC 2821 points out, it is entirely



Klensin                  Expires January 9, 2006                [Page 4]

Internet-Draft             RFC3552 SMTP Issues                 July 2005


   rational for mail systems to make operational exceptions to that
   principle and to, e.g., drop mail without making great efforts to
   return it, if they know they are under attack.  But the principle
   remains: rejecting, discarding, or blocking mail that cannot be
   positively identified as hostile or otherwise unwanted is generally
   considered extremely undesirable.  Indeed, doing so can create a
   security risk, since it is possible that an incorrectly-discarded
   message might contain information that was critical to the intended
   recipient.

   Consequently, while feelings often run very high about where the
   lines should be drawn, any system for mail filtering and rejection
   for other than undeliverability or known inaccessibility to the
   intended recipient must be considered a tradeoff between improved
   safety or convenience and the risk of incorrect rejections.

4.  Section by Section Analysis of the Replacement Section

   Section 5 of RFC 3552 requires identifying, as a strong requirement
   (i.e., with "MUST" language as defined in [4]) the range of attacks
   that are possible on a protocol, those that are not relevant ("out of
   scope"), and what attacks it protects against.  Perhaps only because
   of the differences between new protocols and those that are mature
   and widely deployed, these requirements may not, as written be
   appropriate for SMTP.  With a protocol as old and established as
   SMTP, the security issues are generally well understood, much more so
   than with a protocol that has not yet been extensively tested by
   experience.  One way to look at this is that, for a newer protocol,
   we have Security Considerations and their influence on the design or
   applicability of the protocol itself.  For SMTP, a security analysis
   is useful and important.  Such an analysis might include suggestions
   about, e.g., the configuration of an SMTP implementation for use
   under various circumstances but is necessarily somewhat different
   from one written to describe risks and issues in a new protocol.

   Familiarity with RFC 3552 section 5, and the SMTP-specific material
   in section 6.1, is assumed in the material that follows.  The section
   numbers cited are in RFC 3552.

4.1  Section 6.1.1.1: Discussion of IDENT

   IDENT [3] is a Proposed Standard.  If one agrees with the analysis in
   3552, the appropriate action would be to deprecate IDENT, or generate
   an appropriate applicability statement about it, not to simply insert
   comments into the SMTP specification.  The text and examples of 3552
   can be read to suggest is a requirement to discuss every unfortunate
   or ineffective approach to SMTP security.  If that were to be the
   goal, then discussions on the IETF-based SMTP and anti-spam mailing



Klensin                  Expires January 9, 2006                [Page 5]

Internet-Draft             RFC3552 SMTP Issues                 July 2005


   lists during the year preceeding July 2005 present a legion of
   opportunities, most of them more problematic than IDENT.  The IDENT
   material probably does not belong in RFC 2821, although a pointer to
   a discussion if IDENT, and a number of ideas with similar intent,
   would be entirely appropriate.

4.2  Section 6.1.1.3: Security value of disabling VRFY

   RFC 3552 suggests adding a note indicating that disabling VRFY may
   not have much security value since the same information may be
   available from RCPT TO.  If this is going to be said, it should be
   associated with a more complete discussion of when VRFY does actually
   produce more information that RCPT TO, e.g., when address processing
   is deferred for the latter, as the mail specifications have permitted
   for years.  The text in the initial draft of 2821bis has been
   modified to reflect that point.  The statement and recommendation in
   RFC 3552 appears to be too simplistic in this area.  So, if a
   subsection of a Security Considerations were to discuss issues with
   VRFY, it would presumably need to pick up (or point to), considerable
   material that already appears elsewhere in RFC 2821 and avoid some of
   the pitfalls identified there.

4.3  Section 6.1.1.8: Spam

   RFC 3552 recommends including an extended discussion of spam-fighting
   issues in the SMTP specification, citing and expanding on [6].  The
   email-expert portion of the IETF community has repeatedly reached
   rough consensus that the base email transport and message headers and
   body specifications should be kept free of operational
   considerations, particularly those concerned with spam-fighting and
   spam-resistance, other than to note areas of the specifications in
   which exceptions can be made when operationally necessary.  The
   various efforts in the IETF and IRTF to develop anti-spam
   specifications and techniques have generally been instructed to stay
   away from modifications to the base email specifications (although
   they may, and have, created compatible extensions to them).  Yet RFC
   3552 proposes to override that consensus and those agreements to
   include a spam-fighting discussion in RFC 2821 and its successors.

   Worse, the text proposed in 3552 appears to recommend "blacklisting"
   techniques of various sorts, going so far as to identify particular
   sources of blacklists.  While they were more popular a few years ago
   than they are today, it would be a significant understatement to
   suggest that these techniques are controversial in the email
   community and that there is no IETF consensus to recommend them as
   appropriate.





Klensin                  Expires January 9, 2006                [Page 6]

Internet-Draft             RFC3552 SMTP Issues                 July 2005


4.4  Section 6.1.2: Communications Security

   In the opinion of this author, this material is quite good.  It
   belongs somewhere, but probably not in the SMTP specification.  For
   that specification, it goes fairly far into message header issues
   (normally the provence of other specifications), it explores
   difficulties in other protocols, such as the use of IPSEC, and so
   forth.  In addition, it suffers from some of the same difficulties
   discussed above in Section 4.2: if one is going to go into these
   areas in the context of SMTP, some of the discussion is insufficient
   and incomplete.

4.5  6.1.3: Denial of Service

   Again, while there is nothing wrong with this new material, it is not
   clear that it is adequate in the SMTP context.  Singling out one
   specific implementation for one of its idiosyncracies seems
   particularly inappropriate.  If one is going to examine DoS attacks
   in the SMTP context, perhaps the most important issue --certainly an
   important issue-- involves tuning of the various SMTP timeouts.  That
   is a hot topic on many discussion lists, especially those concerned
   with spam fighting, and has been for years.  Additionally, there are
   specific, standards-track, SMTP extensions (including [5], a Full
   Standard) that can be used to manage some of the issues this section
   raises (in the case of RFC 1870, the excessive disk usage problem)
   but are not mentioned in the discussion that RFC 3552 supplies.
   Where is it appropriate for the security considerations material of
   RFC 2821 us stop, given the level of detail provided in other
   subsections?

4.6  Additional Material for 2821bis

   Interestingly, there are a wide range of topics that might
   appropropriately be covered in a security analysis of SMTP that the
   RFC 3552 analysis odes not cover.  They include a more comprehensive
   treatment of approrpriate and inappropriate actions in dealing with
   mail that is presumed to be hostile, the among and type of logging
   and reporting that should be maintained for mesages that are dropped,
   various authentication frameworks and the problems they do and do not
   solve, and so on.  The likely extent of that material again suggests
   that it would be better placed in a separate "mail security analysis"
   document than forced into the SMTP specification.

5.  Conclusion and Recommendations

   The tone and several of the requirements imposed by RFC 3552 are
   dubious, especially when applied to documents describing mature and
   widely-deployed protocols.  For such protocols, the most likely



Klensin                  Expires January 9, 2006                [Page 7]

Internet-Draft             RFC3552 SMTP Issues                 July 2005


   impact of strict application of 3552 as written would be to further
   discourage applicability statements, standards that consolidate prior
   work (in the case of SMTP, much of it already at a full Standard
   level), and documents created to raise the maturity level of the
   specifications, by imposing a burdensome analysis and documentation
   requirement.  We have too few of such documents as it is; they should
   be made more burdensome to create only after careful consideration by
   the community.  It is also problematic to require, as RFC 3552 can be
   interpreted as requiring, that the security considerations section of
   every protocol specification either contain a discussion of every
   other protocol that might be used with it or point to a discussion of
   that protocol that was adequate under 3552's rules.  Security
   analysis of collections of protocols is probably better left to
   stand-alone documents that can be referred to from individual members
   of the collection.

   Perhaps fortunately, the IESG has apparently ignored the requirements
   of RFC 3552 in a number of specifications it has approved for the
   standard track subsequent to 3552's publication.  Of course, that
   creates a different problem, one of having procedural BCPs that are
   approved by the IESG and then ignored (either globally or
   selectively).  It is hard to argue that such documents are BCPs at
   all, and their approval is probably indicative of a systemic problem
   in the IETF.

   At least in this author's opinion, the discussion in RFC 3552 is
   quite useful and the suggestions it makes should be given serious
   consideration.  The difficulties arise when its text --all of its
   text-- are considered normative for other specifications, especially
   specifications that describe mature and widely-deployed protocols.
   Its BCP status, and the use of strong normative requirement language
   from RFC 2119, certainly implies that it should be considered
   normative in that way and that situation probably requires some
   clarification.

6.  Security Considerations

   This document is about an effort to refine the specification for
   security considerations sections, especially in the context of
   updated descriptions for mature and widely-deployed protocols.  It
   does not, itself, have any impact on protocol security.

7.  Acknowledgements

   Thanks to Ted Hardie and a brief discussion during an Applications
   Area meeting that led to the suggestion that a document like this one
   was the right way to pursue this problem.  Thanks also to the several
   people who encouraged me to not just write off 2821bis in the light



Klensin                  Expires January 9, 2006                [Page 8]

Internet-Draft             RFC3552 SMTP Issues                 July 2005


   of the discovery of the provisions of 3552.  And thanks especially to
   Eric Rescorla for his extensive and helpful discussion of issues in
   RFC 3552 and an earlier version of this document.

8.  References

8.1  Normative References

   [1]  Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
        April 2001.

   [2]  Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on
        Security Considerations", BCP 72, RFC 3552, July 2003.

8.2  Informative References

   [3]  Mindel, J. and R. Slaski, "FTP-FTAM Gateway Specification",
        RFC 1415, January 1993.

   [4]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [5]  Klensin, J., Freed, N., and K. Moore, "SMTP Service Extension
        for Message Size Declaration", STD 10, RFC 1870, November 1995.

   [6]  Lindberg, G., "Anti-Spam Recommendations for SMTP MTAs", BCP 30,
        RFC 2505, February 1999.

   [7]  Klensin, J., "Simple Mail Transfer Protocol", July 2005.


Author's Address

   John C Klensin
   1770 Massachusetts Ave, #322
   Cambridge, MA  02140
   USA

   Phone: +1 617 491 5735
   Email: john-ietf@jck.com











Klensin                  Expires January 9, 2006                [Page 9]

Internet-Draft             RFC3552 SMTP Issues                 July 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Klensin                  Expires January 9, 2006               [Page 10]