IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Keith Moore <moore@network-heretics.com> Mon, 07 February 2022 19:31 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D1B43A0105 for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 11:31:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.61
X-Spam-Level:
X-Spam-Status: No, score=-7.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h4ThDc9boH01 for <behave@ietfa.amsl.com>; Mon, 7 Feb 2022 11:31:10 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A5F23A00B0 for <behave@ietf.org>; Mon, 7 Feb 2022 11:31:06 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id AF23C5C00EF for <behave@ietf.org>; Mon, 7 Feb 2022 14:31:05 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Mon, 07 Feb 2022 14:31:05 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=2cfxOPmXfDvLF0ZVUvFA0U9V+POw8cbACWmzt/fsvP4=; b=NOsTKX7v VMxykbKAyvJnNalJ/XF6gjDneLryP+50uF0aE1PhUQXthzHGRJ+2y1yWkQqiujAX 6CbJKZBOz/ihIptRBDpMo35tfKqrBVI4+pTt0v6OzMoGKx5c0LJzzvkzJqtFahxg qUo9mZI2kQBDseRUofD/TjIBMOR6Ydpafb3HxnV4pApCc45q8VZJHJvuNjxtfbXg BcqyAc7/NKtB5QMvAfWagp6Nhf/oS1vgmLc+a6iKc/67PE7UQkowr5/kK1isV21O TTizF+LivuN9+j0KqmMoftl+iRwJCLsqAvnaDVqpjramVFrCbEImaZd6HF8fEviu Vyq1I/e1us/aQQ==
X-ME-Sender: <xms:eXMBYioWx_coD5Hfo0dpjVYT_ZXeQi8e-vrnXjvxxIVKwQl5a5UAxg> <xme:eXMBYgpIXICXtyA2bmLHCc1hg0XeAi0DSyMfzNqLIqLIPbKfIe_ccs19jH78HP6b3 TqGKSn10wj6Gg>
X-ME-Received: <xmr:eXMBYnMAnJyUY6FJqsox4mSj6UQgld2L6UtX0fP4i-MVdnzPrAtUCWuv17YPsBFMO0RuneQ1dKoi5jY6zMJXBIv4jOxk9nueP6Hj>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrheehgdduvdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkffggfgfuvfhfhfgjtgfgsehtke ertddtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthif ohhrkhdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeeftddvleeije evkeejhfeuudehveeihfejfedvgfduhfffhfduuddufeeggfetveenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmohhorhgvsehnvghtfihorh hkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:eXMBYh7vuj_qcwu8GWH2_NyPOcm1nHHYcGJh_NNpMlCwyAf4m8p2JQ> <xmx:eXMBYh6IWMVRwHHaKcjf-LFk3yY5P74aqyR6f64426pNdzFZ8DUJ8A> <xmx:eXMBYhiFi5GpgL0mMY9-UGftXuyBftYpzVZC2mIhsNlxUjGuqPvX3Q> <xmx:eXMBYjFc0G1AFKfVWQaz2oug5bly-5KFGFzVfZcVB4YLnuIVprYLYA>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <behave@ietf.org>; Mon, 7 Feb 2022 14:31:05 -0500 (EST)
Message-ID: <960bd37c-71ab-9f0b-2151-d7215ec0a6e8@network-heretics.com>
Date: Mon, 07 Feb 2022 14:31:04 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com> <22B55BB2-3854-4152-BBD5-900B169B9173@virtualized.org>
From: Keith Moore <moore@network-heretics.com>
In-Reply-To: <22B55BB2-3854-4152-BBD5-900B169B9173@virtualized.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/Q3uXIUyWGjQ_8t26yoF6d7lpTG4>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 19:31:15 -0000

On 2/7/22 13:37, David Conrad wrote:

> Yes, IPv4 addresses (or what may look like IPv4 addresses) can exist in TXT records arbitrarily, however, IIRC, SPF TXT records are fairly tightly constrained to start with “v=spf1 …” and the content of interest here must be prefixed with “ipv4: “.  Given this, I’d imagine it’d be pretty straight forward for DNS64 to find the relevant IPv4 addresses to do whatever transforms are necessary, leaving other IPv4 addresses embedded in TXT RRs as Someone Else’s Problem (if encountered).

No, that just makes the problem worse.  At present, the responsibility 
to deal with SPF records when operating behind a NAT is clearly with the 
consumer of the SPF records.   If the DNS64 engine is allowed to try to 
address that problem instead, then the location of that responsibility 
becomes unclear, and it's likely to change and break things without 
anybody noticing. Consistent behavior is Good; trying to constantly 
change how the network works to solve problems that are unfixable is 
Bad.  It adds complexity with no hope of ever reducing it.

Especially when, in practice, SPF records are likely to be wrong and to 
result in failure of legitimate mail to be delivered, without any 
indication to anyone who can fix it.   So trying to fix the SPF+NAT 
problem is doubly counterproductive.

Want to fix the NAT instead?  Arrange for there to ALWAYS be some 
signaling available to every app behind the NAT as to what the address 
binding is.   Don't make the app try to second-guess the NAT and don't 
have the NAT try to second-guess the app.   That way lies madness, as 
we've seen for 25+ years.

Keith

v2.23.0 | Report a Bug | By Email