From hgs@cs.columbia.edu Wed Sep 2 18:09:06 2009 Return-Path: X-Original-To: rucus@core3.amsl.com Delivered-To: rucus@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B46E428C10C for ; Wed, 2 Sep 2009 18:09:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.258 X-Spam-Level: X-Spam-Status: No, score=-5.258 tagged_above=-999 required=5 tests=[AWL=1.341, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RAekoprF5aMe for ; Wed, 2 Sep 2009 18:09:05 -0700 (PDT) Received: from brinza.cc.columbia.edu (brinza.cc.columbia.edu [128.59.29.8]) by core3.amsl.com (Postfix) with ESMTP id 72D0528C124 for ; Wed, 2 Sep 2009 18:09:05 -0700 (PDT) Received: from ice.cs.columbia.edu (ice.cs.columbia.edu [128.59.18.177]) (user=hgs10 mech=PLAIN bits=0) by brinza.cc.columbia.edu (8.14.3/8.14.3) with ESMTP id n82LbHOr001123 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 2 Sep 2009 17:37:20 -0400 (EDT) Message-Id: From: Henning Schulzrinne To: Dan York In-Reply-To: <323263D6-B104-4C13-8EC5-1FC4CFC3112C@voxeo.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Wed, 2 Sep 2009 17:37:16 -0400 References: <323263D6-B104-4C13-8EC5-1FC4CFC3112C@voxeo.com> X-Mailer: Apple Mail (2.936) X-No-Spam-Score: Local X-Scanned-By: MIMEDefang 2.65 on 128.59.29.8 Cc: "rucus@ietf.org BoF" Subject: Re: [Rucus] Actions coming out of informal RUCUS meeting at IETF 73 X-BeenThere: rucus@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2009 01:09:06 -0000 Digging through some old mail. Has any of this occurred? Henning On Dec 1, 2008, at 12:07 PM, Dan York wrote: > Folks, > > At the informal RUCUS meeting at IETF 73 (see minutes here: http://www.ietf.org/mail-archive/web/rucus/current/msg00347.html > ), part of the discussion was that while the charter for the RUCUS > EG pointed at RFC 5039, that RFC alone does not provide the whole > picture of the issues around SPIT/spam. It was also pointed out > that while many of us may be aware of various different situations > related to SPIT, much of that information has not been captured in > any formal written documents but exists more in email threads or > informal conversations. > > To that end, it was agreed that several people would write Internet- > Drafts that document what is in fact going on out in actual > deployments with regard to voice spam/SPIT and also spam in other > areas. > > The list I have of who said they would submit a document is the > following: > > - David Schwartz about email spam and lessons from there. > - David Schwartz about the XConnect / Kayote experience thus far > with SPIT. > - Hannes Tschofenig about XMPP spam (and Hannes indicated he would > contact Peter St. Andre) > - Hendrik Scholz about the recent German SPIT attack (Jan Seedorf > offered to help) > - Juergen Quitteck/Jan Seedorf about some of the cases they have > seen in their NEC incident database > - Jan Seedorf about the differences between DKIM and SIP Identity > (Jan agreed but indicated he would need the assistance of others in > the room) > > It was agreed that these documents do NOT have to be long. They > could be just a page or two if that is all it takes to summarize the > incident/event/situation. The main point is to provide some written > background information for our continued discussions about SPIT and > what the IETF can or cannot do (which would then lead to the brief > mechanism-focused Internet-Drafts that are discussed in the RUCUS > charter). > > We also agreed that these documents would be submitted as Internet- > Drafts because they then fit within the IETF workflow and are a > standard format that others involved with the IETF (but not > necessarily RUCUS) can find and understand. > > We did not set a deadline at the meeting, but I would suggest that > if we could perhaps aim to have these brief documents put together > by the end of this month (Dec 2008) or by, say, January 15th, that > would help. I realize with holidays that may be tough, but as soon > as possible would be great. I'd like to make the case to the ADs > that RUCUS should have a formal time slot at IETF 74, but for that > to occur we need to have some forward momentum. If we could have > these summary documents in by mid-January, that gives us some time > to pull together some mechanism-related drafts before the March > meeting in SF that could then warrant some real face-to-face > discussion. > > Thanks to everyone who volunteered to write a document - and if > there are others on this list who want to contribute a short > document about experiences you have seen related to spam in general > or specifically SPIT, please *do*! > > Thanks, > Dan > > -- > Dan York, CISSP, Director of Emerging Communication Technology > Office of the CTO Voxeo Corporation dyork@voxeo.com > Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com > Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com > > Build voice applications based on open standards. > Find out how at http://www.voxeo.com/free > > > > > > _______________________________________________ > Rucus mailing list > Rucus@ietf.org > https://www.ietf.org/mailman/listinfo/rucus > From dyork@voxeo.com Thu Sep 3 14:21:01 2009 Return-Path: X-Original-To: rucus@core3.amsl.com Delivered-To: rucus@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1D2928C0D0 for ; Thu, 3 Sep 2009 14:21:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.929 X-Spam-Level: X-Spam-Status: No, score=-1.929 tagged_above=-999 required=5 tests=[AWL=-0.399, BAYES_00=-2.599, DATE_IN_PAST_06_12=1.069, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A8h51KmfDLrg for ; Thu, 3 Sep 2009 14:21:00 -0700 (PDT) Received: from voxeo.com (mmail.voxeo.com [66.193.54.208]) by core3.amsl.com (Postfix) with SMTP id C8B3D3A67B8 for ; Thu, 3 Sep 2009 14:20:56 -0700 (PDT) Received: from 97.sub-97-60-241.myvzw.com (account dyork [97.60.241.97] verified) by voxeo.com (CommuniGate Pro SMTP 5.2.3) with ESMTPSA id 50585526; Thu, 03 Sep 2009 21:11:20 +0000 Message-Id: <8550AA78-B33E-4673-8376-31684A3DCFD4@voxeo.com> From: Dan York To: Henning Schulzrinne In-Reply-To: Content-Type: multipart/alternative; boundary=Apple-Mail-7-950718263 Mime-Version: 1.0 (Apple Message framework v936) Date: Thu, 3 Sep 2009 10:32:21 -0400 References: <323263D6-B104-4C13-8EC5-1FC4CFC3112C@voxeo.com> X-Mailer: Apple Mail (2.936) Cc: "rucus@ietf.org BoF" Subject: Re: [Rucus] Actions coming out of informal RUCUS meeting at IETF 73 X-BeenThere: rucus@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2009 21:21:01 -0000 --Apple-Mail-7-950718263 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Henning, Sadly, if you go back through the list archives ( https://www.ietf.org/mailman/listinfo/rucus ), the only real action since IETF 73 in terms of Internet-Drafts was Hendrik's submission (that included some work from Hannes): http://www.ietf.org/internet-drafts/draft-scholz-endpoint-security-00.txt Outside of that, no other drafts have been submitted. There was a brief lunch meeting at IETF 75 that Hendrik summarized in an email to RUCUS on August 4, 2009. Regards, Dan On Sep 2, 2009, at 5:37 PM, Henning Schulzrinne wrote: > Digging through some old mail. Has any of this occurred? > > Henning > > On Dec 1, 2008, at 12:07 PM, Dan York wrote: > >> Folks, >> >> At the informal RUCUS meeting at IETF 73 (see minutes here: http://www.ietf.org/mail-archive/web/rucus/current/msg00347.html >> ), part of the discussion was that while the charter for the RUCUS >> EG pointed at RFC 5039, that RFC alone does not provide the whole >> picture of the issues around SPIT/spam. It was also pointed out >> that while many of us may be aware of various different situations >> related to SPIT, much of that information has not been captured in >> any formal written documents but exists more in email threads or >> informal conversations. >> >> To that end, it was agreed that several people would write Internet- >> Drafts that document what is in fact going on out in actual >> deployments with regard to voice spam/SPIT and also spam in other >> areas. >> >> The list I have of who said they would submit a document is the >> following: >> >> - David Schwartz about email spam and lessons from there. >> - David Schwartz about the XConnect / Kayote experience thus far >> with SPIT. >> - Hannes Tschofenig about XMPP spam (and Hannes indicated he would >> contact Peter St. Andre) >> - Hendrik Scholz about the recent German SPIT attack (Jan Seedorf >> offered to help) >> - Juergen Quitteck/Jan Seedorf about some of the cases they have >> seen in their NEC incident database >> - Jan Seedorf about the differences between DKIM and SIP Identity >> (Jan agreed but indicated he would need the assistance of others in >> the room) >> >> It was agreed that these documents do NOT have to be long. They >> could be just a page or two if that is all it takes to summarize >> the incident/event/situation. The main point is to provide some >> written background information for our continued discussions about >> SPIT and what the IETF can or cannot do (which would then lead to >> the brief mechanism-focused Internet-Drafts that are discussed in >> the RUCUS charter). >> >> We also agreed that these documents would be submitted as Internet- >> Drafts because they then fit within the IETF workflow and are a >> standard format that others involved with the IETF (but not >> necessarily RUCUS) can find and understand. >> >> We did not set a deadline at the meeting, but I would suggest that >> if we could perhaps aim to have these brief documents put together >> by the end of this month (Dec 2008) or by, say, January 15th, that >> would help. I realize with holidays that may be tough, but as soon >> as possible would be great. I'd like to make the case to the ADs >> that RUCUS should have a formal time slot at IETF 74, but for that >> to occur we need to have some forward momentum. If we could have >> these summary documents in by mid-January, that gives us some time >> to pull together some mechanism-related drafts before the March >> meeting in SF that could then warrant some real face-to-face >> discussion. >> >> Thanks to everyone who volunteered to write a document - and if >> there are others on this list who want to contribute a short >> document about experiences you have seen related to spam in general >> or specifically SPIT, please *do*! >> >> Thanks, >> Dan >> >> -- >> Dan York, CISSP, Director of Emerging Communication Technology >> Office of the CTO Voxeo Corporation dyork@voxeo.com >> Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com >> Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com >> >> Build voice applications based on open standards. >> Find out how at http://www.voxeo.com/free >> >> >> >> >> >> _______________________________________________ >> Rucus mailing list >> Rucus@ietf.org >> https://www.ietf.org/mailman/listinfo/rucus >> > -- Dan York, Director of Conversations Voxeo Corporation http://www.voxeo.com dyork@voxeo.com Phone: +1-407-455-5859 Skype: danyork Join the Voxeo conversation: Blogs: http://blogs.voxeo.com Twitter: http://twitter.com/voxeo http://twitter.com/danyork Facebook: http://www.facebook.com/voxeo --Apple-Mail-7-950718263 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable https://www.ietf.org/= mailman/listinfo/rucus ), the only real action since IETF 73 in = terms of Internet-Drafts was Hendrik's submission (that included some = work from Hannes):


Outside of that, no other drafts = have been = submitted. There was a brief lunch meeting&n= bsp;at IETF 75 that Hendrik summarized in an email to = RUCUS on August 4, = 2009.

Regards,
Dan

<= div>On Sep 2, 2009, at 5:37 PM, Henning Schulzrinne wrote:

Digging= through some old mail. Has any of this = occurred?

Henning

On Dec 1, 2008, at 12:07 PM, Dan York = wrote:

Folks,

At the = informal RUCUS meeting at IETF 73 (see minutes here: = http://www.ietf.org/mail-archive/web/rucus/current/msg00347.html ), = part of the discussion was that while the charter for the RUCUS EG = pointed at RFC 5039, that RFC alone does not provide the whole picture = of the issues around SPIT/spam.  It was also pointed out that while = many of us may be aware of various different situations related to SPIT, = much of that information has not been captured in any formal written = documents but exists more in email threads or informal = conversations.

To that end, it = was agreed that several people would write Internet-Drafts that document = what is in fact going on out in actual deployments with regard to voice = spam/SPIT and also spam in other areas.

The list I have = of who said they would submit a document is the = following:

- David = Schwartz about email spam and lessons from = there.
- David Schwartz about = the XConnect / Kayote experience thus far with = SPIT.
- Hannes Tschofenig = about XMPP spam (and Hannes indicated he would contact Peter St. = Andre)
- Hendrik Scholz about = the recent German SPIT attack (Jan Seedorf offered to = help)
- Juergen Quitteck/Jan = Seedorf about some of the cases they have seen in their NEC incident = database
- Jan Seedorf about = the differences between DKIM and SIP Identity (Jan agreed but indicated = he would need the assistance of others in the = room)

It was agreed = that these documents do NOT have to be long. They could be just a page = or two if that is all it takes to summarize the = incident/event/situation.  The main point is to provide some = written background information for our continued discussions about SPIT = and what the IETF can or cannot do (which would then lead to the brief = mechanism-focused Internet-Drafts that are discussed in the RUCUS = charter).

We also agreed = that these documents would be submitted as Internet-Drafts because they = then fit within the IETF workflow and are a standard format that others = involved with the IETF (but not necessarily RUCUS) can find and = understand.

We did not set = a deadline at the meeting, but I would suggest that if we could perhaps = aim to have these brief documents put together by the end of this month = (Dec 2008) or by, say, January 15th, that would help.  I realize = with holidays that may be tough, but as soon as possible would be great. =  I'd like to make the case to the ADs that RUCUS should have a = formal time slot at IETF 74, but for that to occur we need to have some = forward momentum.  If we could have these summary documents in by = mid-January, that gives us some time to pull together some = mechanism-related drafts before the March meeting in SF that could then = warrant some real face-to-face discussion.

Thanks to = everyone who volunteered to write a document - and if there are others = on this list who want to contribute a short document about experiences = you have seen related to spam in general or specifically SPIT, please = *do*!

Thanks,
Dan

-- =
Dan York, CISSP, Director of = Emerging Communication Technology
Office of the CTO    Voxeo Corporation =     dyork@voxeo.com
Phone: +1-407-455-5859  Skype: danyork  http://www.voxeo.com
Blogs: http://blogs.voxeo.com  http://www.disruptivetelephony= .com

Build voice = applications based on open standards.
Find out how at http://www.voxeo.com/free





_______________________________________________
Rucus mailing = list
Rucus@ietf.org
https://www.ietf.org/= mailman/listinfo/rucus



-- 
Dan York, = Director of Conversations
Voxeo = Corporation   http://www.voxeo.com  dyork@voxeo.com
Phone: +1-407-455-5859    Skype: = danyork  









= --Apple-Mail-7-950718263-- From pars.mutaf@gmail.com Fri Sep 11 04:22:21 2009 Return-Path: X-Original-To: rucus@core3.amsl.com Delivered-To: rucus@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 754E43A6818 for ; Fri, 11 Sep 2009 04:22:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pUy20+yH6yBG for ; Fri, 11 Sep 2009 04:22:17 -0700 (PDT) Received: from mail-bw0-f219.google.com (mail-bw0-f219.google.com [209.85.218.219]) by core3.amsl.com (Postfix) with ESMTP id 694B128C142 for ; Fri, 11 Sep 2009 04:22:17 -0700 (PDT) Received: by bwz19 with SMTP id 19so704461bwz.37 for ; Fri, 11 Sep 2009 04:22:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=0GKM7/GTThi/hEOagpLQyl3DInXlT5Pt87AkSdQhFyw=; b=hECUQqzAfZ+W49wmYUcH8OO8Gl9n19iBzLqhD67dAuqpF/UTu5vddmoWtjEC/TNPtJ jQ1QpxAZ0Pma5haeohKtgtAu6JRXMIAaZTW5Gmishp7cIbZ9gLpQOecDzsroj5mynR3P 0Nr4JzzFfBU3cffxXLCDrhZmFqOtwYNUOp1rQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=BfFmMDBU3+JsXpmJFZCCfqaHOvanijixI4BHzUb0e4510YJwvmsTFwmvseTzqgCdsj nNx7hrurmwGHzL6qn6v8Y4+gZ7tRiwoslvHrUTPTD1XumH1o4b/TJROVxkl5ByMuqeb6 OEl3M6xJsSlviuAjWUanJF2++9bNGxrE1F8zY= MIME-Version: 1.0 Received: by 10.204.33.193 with SMTP id i1mr1937611bkd.75.1252668170159; Fri, 11 Sep 2009 04:22:50 -0700 (PDT) Date: Fri, 11 Sep 2009 14:22:50 +0300 Message-ID: <18a603a60909110422t259efa7dj7f601535a6150391@mail.gmail.com> From: Pars Mutaf To: Rucus BoF Content-Type: text/plain; charset=ISO-8859-1 Subject: [Rucus] Combatting SPIT using IKEv2 X-BeenThere: rucus@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Sep 2009 11:22:21 -0000 Dear all, I submitted a short I-D proposing IKEv2 extensions to combat SPIT. Basically they are CAPTCHA and human name certificate extensions, and target user approval. The draft can be found here: http://www.freewebs.com/pmutaf/draft-mutaf-spikev2-02.txt Comments are welcome Regards, pars From dwing@cisco.com Thu Sep 17 17:10:58 2009 Return-Path: X-Original-To: rucus@core3.amsl.com Delivered-To: rucus@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 67FBE3A6816 for ; Thu, 17 Sep 2009 17:10:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.598 X-Spam-Level: X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id clQ7oXRpg8qd for ; Thu, 17 Sep 2009 17:10:57 -0700 (PDT) Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 9D7613A67A4 for ; Thu, 17 Sep 2009 17:10:57 -0700 (PDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApsEAC9tskqrR7PD/2dsb2JhbACKbrFTiFABkCgFhBw X-IronPort-AV: E=Sophos;i="4.44,406,1249257600"; d="scan'208";a="243507884" Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 18 Sep 2009 00:11:50 +0000 Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n8I0BoaO016745 for ; Thu, 17 Sep 2009 17:11:50 -0700 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id n8I0Bmmc024188 for ; Fri, 18 Sep 2009 00:11:50 GMT Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 17 Sep 2009 17:11:00 -0700 Received: from dwingwxp01 ([128.107.163.93]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 17 Sep 2009 17:11:00 -0700 From: "Dan Wing" To: Date: Thu, 17 Sep 2009 17:11:01 -0700 Message-ID: <021101ca37f4$81144e60$5da36b80@cisco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: Aco39IDbl1z4BXNuRo6BMk9ajBaIsw== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 X-OriginalArrivalTime: 18 Sep 2009 00:11:00.0595 (UTC) FILETIME=[80CD0C30:01CA37F4] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=274; t=1253232710; x=1254096710; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20 |Subject:=20ARF=20BoF=3A=20no=20SIP? |Sender:=20; bh=y0TbRG01HP9rwXNT6C6YYv/FTfztw1P0BnvxumYx+nI=; b=Y9nLILQSJddYxN8xjtT85dAwI9ywzQxn08rMPZ76sXjJ4tyi3KIrLdTaGH FtMALiAp5T8EOiA8UWND+Vrrbzd5K5R837AyO/0uUJ8/qeDg0F6jOfn5ItyR /WwWHcol2T; Authentication-Results: sj-dkim-3; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; ); Subject: [Rucus] ARF BoF: no SIP? X-BeenThere: rucus@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 00:10:58 -0000 http://www.ietf.org/mail-archive/web/apps-discuss/current/msg00833.html http://trac.tools.ietf.org/bof/trac/wiki Interesting that while they list SSH, FTP, and "web server" attacks as possible extensions, but SIP isn't listed. Anyone want to tackle that one? -d From dwing@cisco.com Thu Sep 17 17:13:43 2009 Return-Path: X-Original-To: rucus@core3.amsl.com Delivered-To: rucus@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 11BE73A6A9F for ; Thu, 17 Sep 2009 17:13:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GqE8Oxhdb9eT for ; Thu, 17 Sep 2009 17:13:42 -0700 (PDT) Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 584473A6A74 for ; Thu, 17 Sep 2009 17:13:39 -0700 (PDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApsEAPNtskqrR7MV/2dsb2JhbACKbrFGiFABkCoFhByBXQ X-IronPort-AV: E=Sophos;i="4.44,406,1249257600"; d="scan'208";a="190570635" Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-3.cisco.com with ESMTP; 18 Sep 2009 00:14:32 +0000 Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n8I0EWjF005281; Thu, 17 Sep 2009 17:14:32 -0700 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id n8I0EWVN024925; Fri, 18 Sep 2009 00:14:32 GMT Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 17 Sep 2009 17:14:31 -0700 Received: from dwingwxp01 ([128.107.163.93]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 17 Sep 2009 17:14:31 -0700 From: "Dan Wing" To: "'Pars Mutaf'" , "'Rucus BoF'" References: <18a603a60909110422t259efa7dj7f601535a6150391@mail.gmail.com> Date: Thu, 17 Sep 2009 17:14:32 -0700 Message-ID: <021201ca37f4$fed39ef0$5da36b80@cisco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 Thread-Index: Acoy0ji+Pfb+dleASjmxxGo19rP+hAFInCYQ In-Reply-To: <18a603a60909110422t259efa7dj7f601535a6150391@mail.gmail.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 X-OriginalArrivalTime: 18 Sep 2009 00:14:31.0561 (UTC) FILETIME=[FE8BE790:01CA37F4] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1090; t=1253232872; x=1254096872; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20 |Subject:=20RE=3A=20[Rucus]=20Combatting=20SPIT=20using=20I KEv2 |Sender:=20; bh=rR/Rd2B/PNNs9ynRGlTeD94e5pRQ4DLA9CvwVOCZmgA=; b=hezxGhk94SavydMoCWRjLUxVy4kuNCmh9OXSaBKoSzpRRQFtzGEzaGFQ1l 75L/X+Rn7XeYnTv5UiKpKeBwmgeWOT+Gwxk/HcG6yIQiELSJuhX/2hzYofk/ gQ+zmODaxal6U6Lq191NjajOWn71jkRn18U+FA7KnFwnigeTGdLDM=; Authentication-Results: sj-dkim-1; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; ); Subject: Re: [Rucus] Combatting SPIT using IKEv2 X-BeenThere: rucus@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 00:13:43 -0000 > -----Original Message----- > From: rucus-bounces@ietf.org [mailto:rucus-bounces@ietf.org] > On Behalf Of Pars Mutaf > Sent: Friday, September 11, 2009 4:23 AM > To: Rucus BoF > Subject: [Rucus] Combatting SPIT using IKEv2 > > Dear all, > > I submitted a short I-D proposing IKEv2 extensions to combat SPIT. > Basically they are CAPTCHA and human name certificate extensions, > and target user approval. > > The draft can be found here: > > http://www.freewebs.com/pmutaf/draft-mutaf-spikev2-02.txt > > Comments are welcome One solution to SPIT is to require an IPsec SA (Security Association) before a correspondent user opens a session with a target SIP URI. If later the correspondent user turns bad and sends SPIT, the target user can remove the SA. I don't understand. So, I would send you an INVITE, and then you would challange me by doing ... ? -d > Regards, > > pars > _______________________________________________ > Rucus mailing list > Rucus@ietf.org > https://www.ietf.org/mailman/listinfo/rucus From stpeter@stpeter.im Thu Sep 17 17:20:27 2009 Return-Path: X-Original-To: rucus@core3.amsl.com Delivered-To: rucus@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E17143A67A4 for ; Thu, 17 Sep 2009 17:20:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.435 X-Spam-Level: X-Spam-Status: No, score=-2.435 tagged_above=-999 required=5 tests=[AWL=0.164, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q-Y4W79EnFK2 for ; Thu, 17 Sep 2009 17:20:27 -0700 (PDT) Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 0DE123A68B1 for ; Thu, 17 Sep 2009 17:20:27 -0700 (PDT) Received: from squire.local (dsl-179-156.dynamic-dsl.frii.net [216.17.179.156]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id B06F340D1F; Thu, 17 Sep 2009 18:21:07 -0600 (MDT) Message-ID: <4AB2D260.3070401@stpeter.im> Date: Thu, 17 Sep 2009 18:20:48 -0600 From: Peter Saint-Andre User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Dan Wing References: <021101ca37f4$81144e60$5da36b80@cisco.com> In-Reply-To: <021101ca37f4$81144e60$5da36b80@cisco.com> X-Enigmail-Version: 0.96.0 OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: rucus@ietf.org Subject: Re: [Rucus] ARF BoF: no SIP? X-BeenThere: rucus@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 00:20:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/17/09 6:11 PM, Dan Wing wrote: > http://www.ietf.org/mail-archive/web/apps-discuss/current/msg00833.html > http://trac.tools.ietf.org/bof/trac/wiki > > Interesting that while they list SSH, FTP, and "web server" attacks as > possible extensions, but SIP isn't listed. Yes, including VoIP and IM attacks would be worthwhile... Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqy0mAACgkQNL8k5A2w/vxiLwCgh7AlwxLXAEHQdWTi5omYzS+u aWkAoLulvJSlkEssuiY4o+klHGWryc6A =5j8D -----END PGP SIGNATURE----- From pars.mutaf@gmail.com Fri Sep 18 10:09:41 2009 Return-Path: X-Original-To: rucus@core3.amsl.com Delivered-To: rucus@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 185B33A685B for ; Fri, 18 Sep 2009 10:09:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvVDKP9hJbPD for ; Fri, 18 Sep 2009 10:09:40 -0700 (PDT) Received: from mail-ew0-f207.google.com (mail-ew0-f207.google.com [209.85.219.207]) by core3.amsl.com (Postfix) with ESMTP id DFCF93A67F0 for ; Fri, 18 Sep 2009 10:09:39 -0700 (PDT) Received: by ewy3 with SMTP id 3so761712ewy.42 for ; Fri, 18 Sep 2009 10:10:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=OXdhj40NVyiJtLX10PvkFMCEUA43iZ+mSA7I4QCE2KI=; b=HB1gG7aukixQ76fPY+y9azLtSJ6k0NxRi6M6yWo+b2PydZwlizj23O/hKUxs6EZgPe 7wBG5RaQE3G1+ttuuNygDhPGVUd/r7Q3m29MA+tXuMyavv6RfEh3HkfSchSyVOjncNA0 3lt8mma1lH3tyKcfGbgt+BfrsKPOyNnOwqMpM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=E89h7X99CZcYqQezFKgcHw3vxU1hOdd1hKYFdO7wDnfxCevyDzrhaX7MZPmjAl4kYv DRQivaDcgcmxoR7pyGRiVs8Qvm0kaSO0fWj2B7b+hwyINUIJgopM2RlRlfjp3xe8FeLF aeAIihJrVNI5SCx2GcwaUOQkOnsYctcPdoSws= MIME-Version: 1.0 Received: by 10.211.155.20 with SMTP id h20mr1318202ebo.44.1253293831188; Fri, 18 Sep 2009 10:10:31 -0700 (PDT) In-Reply-To: <021201ca37f4$fed39ef0$5da36b80@cisco.com> References: <18a603a60909110422t259efa7dj7f601535a6150391@mail.gmail.com> <021201ca37f4$fed39ef0$5da36b80@cisco.com> Date: Fri, 18 Sep 2009 20:10:31 +0300 Message-ID: <18a603a60909181010q588a117am31b499c62986c217@mail.gmail.com> From: Pars Mutaf To: Dan Wing Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Rucus BoF Subject: Re: [Rucus] Combatting SPIT using IKEv2 X-BeenThere: rucus@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 17:09:41 -0000 Hello, On Fri, Sep 18, 2009 at 3:14 AM, Dan Wing wrote: > > > >> -----Original Message----- >> From: rucus-bounces@ietf.org [mailto:rucus-bounces@ietf.org] >> On Behalf Of Pars Mutaf >> Sent: Friday, September 11, 2009 4:23 AM >> To: Rucus BoF >> Subject: [Rucus] Combatting SPIT using IKEv2 >> >> Dear all, >> >> I submitted a short I-D proposing IKEv2 extensions to combat SPIT. >> Basically they are CAPTCHA and human name certificate extensions, >> and target user approval. >> >> The draft can be found here: >> >> http://www.freewebs.com/pmutaf/draft-mutaf-spikev2-02.txt >> >> Comments are welcome > > =A0 One solution to SPIT is to require an IPsec SA (Security Association) > =A0 before a correspondent user opens a session with a target SIP URI. > =A0 If later the correspondent user turns bad and sends SPIT, the target > =A0 user can remove the SA. > > I don't understand. =A0So, I would send you an INVITE, and then you > would challange me by doing ... ? You will have to establish an IPsec security association (this is required) with the target phone. Using IKE extensions, the target phone will challenge you by asking to solve a CAPTCHA. If you want to make commercial calls or send messages t= o hundreds of phones, you will have to solve hundreds of CAPTHCAs. CAPTCHAs cannot be solved by a machine, so you cannot automatically send spam to many target phones. In addition to CAPTCHAs, my phone can also require your certified identity during the IKE negociation. In this case if I don't know you, I can cancel = IKE. Since no IPsec security association is established, you can't call me nor send IM. Thanks, pars > > -d > > > >> Regards, >> >> pars >> _______________________________________________ >> Rucus mailing list >> Rucus@ietf.org >> https://www.ietf.org/mailman/listinfo/rucus > > From dwing@cisco.com Fri Sep 18 10:43:14 2009 Return-Path: X-Original-To: rucus@core3.amsl.com Delivered-To: rucus@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5DA0728C211 for ; Fri, 18 Sep 2009 10:43:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.479 X-Spam-Level: X-Spam-Status: No, score=-6.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gwigf0uZuDj6 for ; Fri, 18 Sep 2009 10:43:13 -0700 (PDT) Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id DA7883A6B55 for ; Fri, 18 Sep 2009 10:43:12 -0700 (PDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ap0EAIRjs0qrR7PE/2dsb2JhbACKbawPiFABkBsFgi6BbYFd X-IronPort-AV: E=Sophos;i="4.44,410,1249257600"; d="scan'208";a="391551846" Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-6.cisco.com with ESMTP; 18 Sep 2009 17:44:06 +0000 Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id n8IHi6Zf001127; Fri, 18 Sep 2009 10:44:06 -0700 Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n8IHi6Xt001092; Fri, 18 Sep 2009 17:44:06 GMT Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 18 Sep 2009 10:44:05 -0700 Received: from dwingwxp01 ([10.32.240.198]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 18 Sep 2009 10:44:05 -0700 From: "Dan Wing" To: "'Pars Mutaf'" References: <18a603a60909110422t259efa7dj7f601535a6150391@mail.gmail.com> <021201ca37f4$fed39ef0$5da36b80@cisco.com> <18a603a60909181010q588a117am31b499c62986c217@mail.gmail.com> Date: Fri, 18 Sep 2009 10:44:05 -0700 Message-ID: <053a01ca3887$9de37370$5da36b80@cisco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 Thread-Index: Aco4gu79BXVLZxeKRoaU72M+LHHbSQABEtqw In-Reply-To: <18a603a60909181010q588a117am31b499c62986c217@mail.gmail.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 X-OriginalArrivalTime: 18 Sep 2009 17:44:05.0504 (UTC) FILETIME=[9DF10800:01CA3887] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2491; t=1253295846; x=1254159846; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20 |Subject:=20RE=3A=20[Rucus]=20Combatting=20SPIT=20using=20I KEv2 |Sender:=20; bh=R67Df+9I8JkB2S6nW7WCJcJxmI954M4TD/rOny0YMN0=; b=rQDyX5Fj7Z1JlpZ7ccQu12ILhSoR/OnBDmyxfRlT8pT4aegBkXguhMHvP0 +pGoVhGGvtcKIry/kV+vcI0eYqWMlg2/M5LXLQnPomPh1wkCh6bECnc7BOO0 y9Q0u6E75y; Authentication-Results: sj-dkim-4; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; ); Cc: 'Rucus BoF' Subject: Re: [Rucus] Combatting SPIT using IKEv2 X-BeenThere: rucus@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 17:43:14 -0000 =20 > -----Original Message----- > From: Pars Mutaf [mailto:pars.mutaf@gmail.com]=20 > Sent: Friday, September 18, 2009 10:11 AM > To: Dan Wing > Cc: Rucus BoF > Subject: Re: [Rucus] Combatting SPIT using IKEv2 >=20 > Hello, >=20 > On Fri, Sep 18, 2009 at 3:14 AM, Dan Wing wrote: > > > > > > > >> -----Original Message----- > >> From: rucus-bounces@ietf.org [mailto:rucus-bounces@ietf.org] > >> On Behalf Of Pars Mutaf > >> Sent: Friday, September 11, 2009 4:23 AM > >> To: Rucus BoF > >> Subject: [Rucus] Combatting SPIT using IKEv2 > >> > >> Dear all, > >> > >> I submitted a short I-D proposing IKEv2 extensions to combat SPIT. > >> Basically they are CAPTCHA and human name certificate extensions, > >> and target user approval. > >> > >> The draft can be found here: > >> > >> http://www.freewebs.com/pmutaf/draft-mutaf-spikev2-02.txt > >> > >> Comments are welcome > > > > =A0 One solution to SPIT is to require an IPsec SA (Security=20 > Association) > > =A0 before a correspondent user opens a session with a target SIP = URI. > > =A0 If later the correspondent user turns bad and sends SPIT,=20 > the target > > =A0 user can remove the SA. > > > > I don't understand. =A0So, I would send you an INVITE, and then you > > would challange me by doing ... ? >=20 >=20 > You will have to establish an IPsec security association (this is > required) with the target phone.=20 So I would have to do IKE over the UDP media channel, I guess? =20 That's certainly doable; afterall, that's what is described in draft-saito-mmusic-sdp-ike-05.txt. -d > Using IKE extensions, the target phone will challenge > you by asking > to solve a CAPTCHA. If you want to make commercial calls or=20 > send messages to > hundreds of phones, you will have to solve hundreds of CAPTHCAs. >=20 > CAPTCHAs cannot be solved by a machine, so you cannot automatically > send spam to many target phones. >=20 > In addition to CAPTCHAs, my phone can also require your=20 > certified identity > during the IKE negociation. In this case if I don't know you,=20 > I can cancel IKE. > Since no IPsec security association is established, you can't call me > nor send IM. >=20 > Thanks, > pars >=20 > > > > -d > > > > > > > >> Regards, > >> > >> pars > >> _______________________________________________ > >> Rucus mailing list > >> Rucus@ietf.org > >> https://www.ietf.org/mailman/listinfo/rucus > > > > From johnl@iecc.com Fri Sep 18 18:59:47 2009 Return-Path: X-Original-To: rucus@core3.amsl.com Delivered-To: rucus@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE44B3A6878 for ; Fri, 18 Sep 2009 18:59:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -18.843 X-Spam-Level: X-Spam-Status: No, score=-18.843 tagged_above=-999 required=5 tests=[AWL=0.356, BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rUznY+L7rHzJ for ; Fri, 18 Sep 2009 18:59:47 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [208.31.42.53]) by core3.amsl.com (Postfix) with ESMTP id CE80D3A6765 for ; Fri, 18 Sep 2009 18:59:46 -0700 (PDT) Received: (qmail 43521 invoked from network); 19 Sep 2009 02:00:41 -0000 Received: from mail1.iecc.com (208.31.42.56) by mail1.iecc.com with QMQP; 19 Sep 2009 02:00:41 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:cc:mime-version:content-type:content-transfer-encoding; s=k0908; olt=johnl@user.iecc.com; bh=LBpvBPUB57n87OtLWM4mlO98zpsNF0hhAMv2Ia+7x/s=; b=nptVFoxVkfhAS/FMdGa0gPY56+RY8DO7tVeXQ1BE1XVby+2B2sCNsPGvWo8YSIidX8SaL/2Snt+x6q7mVnhEll9h5axLZ/sYwuMYAjbNPAYXJoiqDoi5RKBNbsgCVId/vXCroVlc1eLM12xQTIFSsDjeaWNC2rUg6rTLdFFkHy8= DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:cc:mime-version:content-type:content-transfer-encoding; s=k0908; bh=LBpvBPUB57n87OtLWM4mlO98zpsNF0hhAMv2Ia+7x/s=; b=GF9QqT2mUTC4trmfrM2newvMid25PF8oSfrQ0tf8BTK9F7V6eRycW01YZ9qVTLyPlgUttWy08XcJrsE/ZiWCO/rkNw/ZXHehsLGIEBehW5WEASG/tky3DDCi63ACwtfZNjzoQDSuWcwYz68y72xp+ph9GIAaKWNJ5qCND7IjSB4= Date: 19 Sep 2009 02:00:41 -0000 Message-ID: <20090919020041.2533.qmail@simone.iecc.com> From: John Levine To: rucus@ietf.org In-Reply-To: <021101ca37f4$81144e60$5da36b80@cisco.com> Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Subject: Re: [Rucus] ARF BoF: no SIP? X-BeenThere: rucus@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Sep 2009 01:59:47 -0000 >Interesting that while they list SSH, FTP, and "web server" attacks as >possible extensions, but SIP isn't listed. I'll throw it into the pot. Although there are people who wish it were otherwise, the current ARF format is tightly tied to reporting metadata about an individual e-mail message, and that's not likely to change. There's interest in a more general abuse report, but I have not yet succeeded in getting people to explain why, other than a dislike of XML, we wouldn't just be doing a rerun of INCH. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor "More Wiener schnitzel, please", said Tom, revealingly. From dwing@cisco.com Sun Sep 20 08:51:41 2009 Return-Path: X-Original-To: rucus@core3.amsl.com Delivered-To: rucus@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E45903A6925 for ; Sun, 20 Sep 2009 08:51:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.492 X-Spam-Level: X-Spam-Status: No, score=-6.492 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0hwPVX7D9jGG for ; Sun, 20 Sep 2009 08:51:40 -0700 (PDT) Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id ACA163A67F5 for ; Sun, 20 Sep 2009 08:51:40 -0700 (PDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApsEAELstUpAZnme/2dsb2JhbACKbKtyiFABjXgFhBs X-IronPort-AV: E=Sophos;i="4.44,419,1249257600"; d="scan'208";a="59016606" Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-1.cisco.com with ESMTP; 20 Sep 2009 15:52:39 +0000 Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n8KFqdnb028690; Sun, 20 Sep 2009 11:52:39 -0400 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by rtp-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n8KFqcnG019207; Sun, 20 Sep 2009 15:52:39 GMT Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 20 Sep 2009 08:52:38 -0700 Received: from dwingwxp01 ([10.32.240.194]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 20 Sep 2009 08:52:38 -0700 From: "Dan Wing" To: "'John Levine'" , References: <021101ca37f4$81144e60$5da36b80@cisco.com> <20090919020041.2533.qmail@simone.iecc.com> Date: Sun, 20 Sep 2009 08:52:38 -0700 Message-ID: <018401ca3a0a$613508b0$c6f0200a@cisco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <20090919020041.2533.qmail@simone.iecc.com> Thread-Index: Aco4zQsmVsO5V2jKRhi+eaMQEIJSkgAhFrBw X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 X-OriginalArrivalTime: 20 Sep 2009 15:52:38.0273 (UTC) FILETIME=[60DE0F10:01CA3A0A] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1301; t=1253461959; x=1254325959; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20 |Subject:=20RE=3A=20[Rucus]=20ARF=20BoF=3A=20no=20SIP? |Sender:=20 |To:=20=22'John=20Levine'=22=20,=20; bh=XvLlqv8blew4gfr6iM0YgfR71+xjy2ZZwuCVCmmXe60=; b=RV5GQw4U4NhFkRtkWfY98WpirxF7mV8MJwhmaxSYTUr9El8qZ26ZeNHSSQ eVsWK8C/psJ7l2t1x3dPwzreDvcTxd3diqRvu3l2Aqb70DnvqjOShcarLwiA vgxZbAOlAd; Authentication-Results: rtp-dkim-1; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; ); Subject: Re: [Rucus] ARF BoF: no SIP? X-BeenThere: rucus@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Sep 2009 15:51:42 -0000 > >Interesting that while they list SSH, FTP, and "web server" > >attacks as possible extensions, but SIP isn't listed. > > I'll throw it into the pot. > > Although there are people who wish it were otherwise, the current ARF > format is tightly tied to reporting metadata about an individual > e-mail message, and that's not likely to change. > > There's interest in a more general abuse report, but I have not yet > succeeded in getting people to explain why, other than a dislike of > XML, we wouldn't just be doing a rerun of INCH. Dunno. I'm not familiar with INCH and currently not connected to the Internet to figure out what it is. My only thought is that if ARF is going to be extended to cover things like SSH and FTP attacks, it should also cover SIP (and, to Peter's point) and XMPP. SIP and XMPP are much more similar to email than ssh, as well (From/To headers and suchlike), which may ease extending ARF to cover SIP/XMPP than the complications of extending ARF to report abuse of a service such as ssh. -d > Regards, > John Levine, johnl@iecc.com, Primary Perpetrator of "The > Internet for Dummies", > Information Superhighwayman wanna-be, > http://www.johnlevine.com, ex-Mayor > "More Wiener schnitzel, please", said Tom, revealingly. From johnl@iecc.com Sun Sep 20 09:01:52 2009 Return-Path: X-Original-To: rucus@core3.amsl.com Delivered-To: rucus@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 12D393A688D for ; Sun, 20 Sep 2009 09:01:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -18.894 X-Spam-Level: X-Spam-Status: No, score=-18.894 tagged_above=-999 required=5 tests=[AWL=0.305, BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvX4eRf4KTdB for ; Sun, 20 Sep 2009 09:01:51 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [208.31.42.53]) by core3.amsl.com (Postfix) with ESMTP id BD4603A693C for ; Sun, 20 Sep 2009 09:01:50 -0700 (PDT) Received: (qmail 26581 invoked from network); 20 Sep 2009 16:02:49 -0000 Received: from mail1.iecc.com (208.31.42.56) by mail1.iecc.com with QMQP; 20 Sep 2009 16:02:49 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:from:to:cc:subject:in-reply-to:message-id:references:mime-version:content-type:user-agent:cleverness; s=k0908; olt=johnl@user.iecc.com; bh=C4AJp+WokWGwASSTqo24jA/+QIE6geicHcaIdPP+zbw=; b=fWG4hl4rIhAjUGBc/w2Dn7/+JI/ULmpN7UjfRhvQAWekwjZndPYTRNoaMW+XpbgVG4oQkY9o/BKRPJWPtErghRItuGhcbAOJzk3jmz4cD0uKXxcEapgyE4zXI8U44iVEYGy00gbDQmWE/WJM3KxExNzx3pwh+eFydxKMxyRJuOs= DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:from:to:cc:subject:in-reply-to:message-id:references:mime-version:content-type:user-agent:cleverness; s=k0908; bh=C4AJp+WokWGwASSTqo24jA/+QIE6geicHcaIdPP+zbw=; b=hJA028Mf5k7CnO6SPfaM/LbE1dpkV9m16sBwNOgWrX40/ya4J/Bgxf6wQmZDZaTfvjnmVI7qvCauLYNUJ44XT1nxOavFJVkbYEeaIB/dQKyS/3Kmfkv5y5xDJvm7yN0iHY8N69EwKox91jt/7ZfwuLSartSzgMqMvzGTmc5oLxw= Date: Sun, 20 Sep 2009 12:02:45 -0400 (EDT) From: John R Levine To: Dan Wing In-Reply-To: <018401ca3a0a$613508b0$c6f0200a@cisco.com> Message-ID: References: <021101ca37f4$81144e60$5da36b80@cisco.com> <20090919020041.2533.qmail@simone.iecc.com> <018401ca3a0a$613508b0$c6f0200a@cisco.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) Cleverness: None detected MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: rucus@ietf.org Subject: Re: [Rucus] ARF BoF: no SIP? X-BeenThere: rucus@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Sep 2009 16:01:52 -0000 >> There's interest in a more general abuse report, but I have not yet >> succeeded in getting people to explain why, other than a dislike of >> XML, we wouldn't just be doing a rerun of INCH. > > Dunno. I'm not familiar with INCH and currently not connected to > the Internet to figure out what it is. It's an old IETF WG, which produced an incident reporting format called IODEF which is simultaneously reviled for being too complex, because it's in XML, and at the same time for not having enough specific features for everyone's favorite online evils. Personally, I think it's ugly but I doubt anything useful could be much less ugly, and that efforts to turn ARF into a general reporting format will end up with a mess that is too underspecified to interoperate. > My only thought is that if ARF is going to be extended to cover > things like SSH and FTP attacks, it should also cover SIP (and, > to Peter's point) and XMPP. Oh, sure. Indeed, they fit into ARF a lot better than SSH does since they have something that obviously makes sense as the included 2822 message, but I hope I can keep ARF for mail and do something else for all the other kinds of evil. R's, John From dwing@cisco.com Sun Sep 20 09:20:54 2009 Return-Path: X-Original-To: rucus@core3.amsl.com Delivered-To: rucus@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7F9D63A68E8 for ; Sun, 20 Sep 2009 09:20:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.499 X-Spam-Level: X-Spam-Status: No, score=-6.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cWy0NEf30vi3 for ; Sun, 20 Sep 2009 09:20:53 -0700 (PDT) Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 952F63A6869 for ; Sun, 20 Sep 2009 09:20:53 -0700 (PDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApsEAIfztUqrR7MV/2dsb2JhbACKbKtmiFABjXsFhBs X-IronPort-AV: E=Sophos;i="4.44,419,1249257600"; d="scan'208";a="244312714" Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 20 Sep 2009 16:21:53 +0000 Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n8KGLqxm005108; Sun, 20 Sep 2009 09:21:52 -0700 Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n8KGLq9X008469; Sun, 20 Sep 2009 16:21:52 GMT Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 20 Sep 2009 09:21:52 -0700 Received: from dwingwxp01 ([10.32.240.194]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 20 Sep 2009 09:21:52 -0700 From: "Dan Wing" To: "'John R Levine'" References: <021101ca37f4$81144e60$5da36b80@cisco.com> <20090919020041.2533.qmail@simone.iecc.com> <018401ca3a0a$613508b0$c6f0200a@cisco.com> Date: Sun, 20 Sep 2009 09:21:52 -0700 Message-ID: <029d01ca3a0e$76b81890$c6f0200a@cisco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: Thread-Index: Aco6C9z7dl3f9AvIQpW9DSjXvZS+oAAAoBVA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 X-OriginalArrivalTime: 20 Sep 2009 16:21:52.0340 (UTC) FILETIME=[765F7140:01CA3A0E] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=586; t=1253463713; x=1254327713; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20 |Subject:=20RE=3A=20[Rucus]=20ARF=20BoF=3A=20no=20SIP? |Sender:=20; bh=dIi+A0CjosUPPslIdGK1C2gi9yjh6a1vwCRecIFpnig=; b=sXNNOX+7x4AtN/15Uoxc0wvYbtBYJnWF958SgB+EHOiBFVERa9fkHggLo/ 13BwB/rfu4k2SbrxqIEzaFHJJ4+hkXukgVbjTibrkzT+PYkqS6Bj6TKa2cii Q9R3P5Kc3tJiy718aHDEQz4wn+De4iSMp62KV7XNbwTIDikOSfAVY=; Authentication-Results: sj-dkim-1; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; ); Cc: rucus@ietf.org Subject: Re: [Rucus] ARF BoF: no SIP? X-BeenThere: rucus@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "Reducing Unwanted Communication Using SIP \(RUCUS\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Sep 2009 16:20:54 -0000 > > My only thought is that if ARF is going to be extended to cover > > things like SSH and FTP attacks, it should also cover SIP (and, > > to Peter's point) and XMPP. > > Oh, sure. Indeed, they fit into ARF a lot better than SSH > does since they > have something that obviously makes sense as the included > 2822 message, > but I hope I can keep ARF for mail and do something else for > all the other kinds of evil. Sounds reasonable for ARF. RUCUS, if it ever gets off the ground, could look at ARF as a baseline to extend into SIP-ARF or something. -d