Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Bounce Verification Address Tagging Key

Hi,

I am about to create a new tagging key for the first time in the Bounce Verification settings of our IronPort C350 and i'm wondering if anyone could advise on a few things please.

1) Should the tagging key have some degree of complexity?

2) Is there a need/recommendation to change the tagging key at intervals?

3) If i was to change the tagging key on the device, and subsequently delete the old one, what would happen to any bounce verifications that were 'tagged' with the old key? Would they be rejected or are the old keys remembered in some way by the IronPort device for a period of time?

Many thanks for you help

Simon

2 REPLIES
New Member

BATV

The IEFT draft does not include recommendations on key complexity. There is minimal protection against replay of known keys, so choosing a highly complex key would provide little, if any, additional security.

The signatures include a timestamp that will automatically treat any otherwise valid bounce as invalid if it is recieved more than 7 days after being sent.

If you change keys, the appliance will only use keys that are less than seven days old (in most cases).

If you purge a key from the system, it can no longer be used for validation, no matter what the age.


BATV does not provide a complicated security algorithm in order to minimize the overhead in signing and validating messages. Because of that, rotating keys and choosing complicated text strings can provide only a limited amount of additional security.

Re: Bounce Verification Address Tagging Key

Thanks bfayne, just wanted to be sure of those few points before making any changes.

Regards

Simon

330
Views
0
Helpful
2
Replies
CreatePlease to create content