Ron Guilmette <rfg @
> At the present time, and despite the already considerable incentives to do
> so, there are no known spammers attempting to do IP spoofing.
Then we should start working on closing this gaping security hole before it
gets widely exploited.
> I see no
> reason why that would change if my rather simple idea were put into
Hmm... your idea may be simple, but putting it in practice would not be
simple, because each and every mailing list server would need to be
upgraded. I wouldn't mind all this effort if the result were a secure
system. But if the result is a system which can be circumvented with
something as simple as one person writing IP-spoofing spam software
and selling it to other spammers, we risk making this considerable
investment for nothing.
Mike Nolan <nolan @
com> replied to Ron:
> Although I think there may be numerous details to be worked out, I think
> Ron has the germ of a viable idea going.
> Some form of public key identifier in a header is the only viable validation
> scheme I've come up with when I've thought about it.
YES - but this indentifier should be somewhere in a revised version of the
Transmission Control Protocol (TCP), not in SMTP headers! (BTW, since the
Internet Protocol must be changed anyway in the near future to enlarge
IP numbers from four bytes to eight bytes or something, modifying TCP also
is maybe not altogether off limits).
> However, I'd like to see the whole concept taken much further, well beyond
> just mailing list issues. Pardon me while I philosophise online here,
> and if anyone thought Ron's proposal had a lot of details to be resolved
> this one has even more!
YES - essentially you're suggesting to apply Ron's idea to TCP instead of
e-mail headers. I agree this is the way to go.
> What I think is needed is some kind of central 'transfer of payments'
> authority for the entire Internet, analagous to what the long distance
> phone carriers have. (This is a very radical proposal, it probably
> involves completely restructuring both the packet forwarding and the cost
> system for the Internet, but that's something that has already happened
> once in the past few years, more or less by default, this time it would
> have to happen by conscious design.)
So this will require very significant changes to the internet protocol also.
Ugly changes even... but I think it could be made to work.
> Under my idea, EVERY Internet packet would carry a cost with it, to be
> assumed by either the sending or receiving party and debited against the
> account. Intermediate carriers could conceivably get a share of this fee,
> and that fee might ultimately replace many other connect charges. (And if
> that means that carriers begin to fight over the right to carry traffic, as
> opposed to the current system where they dont' seem to care much whether
> they have MY business or not, much like the long distance phone carriers
> fight for my account, then I see this as a potentially VERY Good Thing.)
YES - this will add incentive to provide good network infrastructure. In
addition, fast long-distance connections would be more expensive than slow
ones, HTTP traffic would be routed over the fast, more expensive routes (who
likes the World Wide Wait?) while less urgent things like SMTP traffic would
be routed via cheap connections.