IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Mon, 07 February 2022 02:20 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DE603A11A7 for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:20:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8NCIEsrJKwkn for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:20:34 -0800 (PST)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFC143A11AE for <behave@ietf.org>; Sun, 6 Feb 2022 18:20:33 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 2EF84240101 for <behave@ietf.org>; Mon, 7 Feb 2022 03:20:29 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644200430; bh=VSNarDFLiExQaPMXjY1wz9zW4qzMANumtZw3AfL6SC0=; h=Date:Subject:To:From:From; b=nCYSlDbM1mVexOQrgSdsvAZEC0kv5hk1AnEQ+ALx19MmpDw1Af2p9CP1LYCz8Wvde uoBDiVjyXFMlTFmC8LCdnhDJcU92J60/8LoW0CDdpUJz8oOPORF4dGatVFINshE6C1 gsN5F8jm8GbdO/qrqlfFE28qHm7+wYX6fSvzK6xpsvPvGw71D6l/xR7AKWu1z+o4If Kic3zMgGwZTYJvvUzSiMpgyHFo6nveowmShj50GjZuy6F/AKlKTj/w0sr1xgyPsXvV gNUlgnOgb3eKNdBAKtPhDcQFdsC3XUJc5Bhiug8TJI1z8TN4e0IJYNuFuqHb3oYhaK 5reRbGXy5JGlA==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4JsVH01zVjz9rxF; Mon, 7 Feb 2022 03:20:27 +0100 (CET)
Message-ID: <7b7cf541-3387-6d0b-0fbe-273a08fd37ed@posteo.de>
Date: Mon, 07 Feb 2022 02:20:25 +0000
MIME-Version: 1.0
Content-Language: de-DE
To: Christian Huitema <huitema@huitema.net>, Keith Moore <moore@network-heretics.com>, behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com> <6123a322-e9a7-7f90-391f-9b4c4461ce45@network-heretics.com> <e95993e4-4166-4b3d-1637-8ca451b093b6@huitema.net>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <e95993e4-4166-4b3d-1637-8ca451b093b6@huitema.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms040008020607080401000806"
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/0r-N99JoZsuHOD6P8uoFqPczmoQ>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 02:20:43 -0000

You left out the other half of Section 6.2 where it says:

    Alternatively,
    the validating host may establish a trusted connection with a DNS64,
    and allow the DNS64 recursive resolver to do all validation on its
    behalf.

Which is allowing the DNS64 server to rewrite the SPF record...

On 2022-02-07 03:13, Christian Huitema wrote:
>
> On 2/6/2022 5:52 PM, Keith Moore wrote:
>> On 2/6/22 19:58, Dan Wing wrote:
>>
>>> A problem with rewriting SPF records within DNS64 is that other IPv4 
>>> addresses may well appear in TXT records, throwing a loop to 
>>> applications which won't know if the DNS64 has done rewriting or if 
>>> the application needs to do rewriting.  A long-standing problem with 
>>> NAT "support" for applications since the days of FTP PASV.
>>
>> +1
>>
>> In general the problem with NATs is that they try to hide what 
>> they're doing from applications.   But they are never completely 
>> successful at that, and they cannot be.    And it's often difficult 
>> for the application to work-around the damage caused by the NAT.  In 
>> hindsight, it would have been far better for NATs to always be 
>> explicitly visible to applications; then at least the applications 
>> and NATs wouldn't be trying to second-guess one another.
>>
>> But that's water under the bridge.   At this point the best thing 
>> that can be done is to transition to IPv6 only (except for some 
>> legacy hardware on local networks), and eradicate NATs as soon as 
>> possible.
>
>
> DNS64 is a kludge. It looked like a good idea at the time, but there 
> are many corner cases. For example, it is well known to not be 
> compatible with specifications like DNSSEC. DNS64 also breaks 
> completely is the local host uses an encrypted DNS connection (e.g. 
> DoH) to a secure DNS resolver. Klaus raises yet another issue: the 
> local SMTP server will see incoming connections from an IPv6 address 
> that bears no relation to what is in the SPF record of the remote 
> source. This is pretty much the same problem as DNSSEC, and the 
> solution is pretty much what is defined in Section 6.2. of RFC 6147: 
> "the validator must know how to perform the DNS64 function itself". 
> That means the SMTP server should:
>
> 1) Know the local NAT64 prefix
>
> 2) Recognize that the incoming connection is from the local NAT64 prefix,
>
> 3) Perform the reverse translation to retrieve the original IPv4 address,
>
> 4) Acquire the original version of the SPF record, either through the 
> DNS64 server or through a secure server,
>
> 5) Check that the original IPv4 address matches.
>
> Of course, doing that require special code in the SMTP server to 
> handle NAT64. But that's pretty much the only solution.
>
> -- Christian Huitema
>

v2.23.0 | Report a Bug | By Email