IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Keith Moore <moore@network-heretics.com> Mon, 07 February 2022 02:18 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A69D3A1197 for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:18:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LCl0_Jkzvxdz for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:17:57 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE04C3A1187 for <behave@ietf.org>; Sun, 6 Feb 2022 18:17:55 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 081975C0043 for <behave@ietf.org>; Sun, 6 Feb 2022 21:17:54 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Sun, 06 Feb 2022 21:17:54 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=A4gf14Mr5AnQ6TJYDQzi7FJUG9kn9J1ec0X+qZ68JrM=; b=U3LfoOnF 9q98dN+oq+6j8tFRJzI1tXYi7aYsiQ354P3PrIYy5H6YSUDj7ZZX99fo8OY3aQMs qYVlFaJckvGijCgknwJRZKQirxXMNeI3B7UtPagMm8CbLNh7hur9Fmf6+59xSU9h 2qASj2XLuXo8TTN6wChU0BQPtDBzAUyydq2oSgFwhRE8ieLDMctBSsDcb33I/grz 2ntArfRMN02qYDM35WuAmt8uExvDubeTzlEHa+MYX+EBuV1sl3X5pw83JZcOHFS0 DFSsrWX1CLAkxK4U5H2OlVauI260bkJaucx8Zo63QzJ39hKaMPfcPT7ruFIMBxKu tCeYiYyZaZAMNQ==
X-ME-Sender: <xms:UYEAYkWOCZtQZVFpGdv174rPWyNHpmp2Gpt7MHX4HIZFCN_-K1Yfsw> <xme:UYEAYomtdd6HHZlScW2iUVFIzyGor9scDCavLhK8XnJppWoBuHDGc8buCkIaqWR5Q 3H7mEA-whKyRg>
X-ME-Received: <xmr:UYEAYoZRsDEFci1aH-k3OfX_i25AOMlUFpNM3QlxrkrgsxoivGLCWyv2bTGLBzVjjk8w7092q7AELHT34EWMA3r7A9O6drrDNILQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrheeggdegudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepkfffgggfuffvfhfhjggtgfesthekre dttdefjeenucfhrhhomhepmfgvihhthhcuofhoohhrvgcuoehmohhorhgvsehnvghtfiho rhhkqdhhvghrvghtihgtshdrtghomheqnecuggftrfgrthhtvghrnhepudffffehhfetke eiheduudfggfehgfdvffduudejleetjeetleeggeduiefggfelnecuffhomhgrihhnpehi vghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:UYEAYjWGvDEUUgCkD7LQe2ayu1Vr9bBZ29iVqUjeBs61dKvVA--Kag> <xmx:UYEAYumG-HgcrgL7j-e9ypNoe_c7Sy7vrS2KZmo5MCOEx9uAVKd9tg> <xmx:UYEAYodjubie6_33WHXiKhN54B5R6i0OmsGSDOP0Ysvja7bPPLAalQ> <xmx:UoEAYqyc4eLZLnNgg7qY8wbPR_yv8KAKulQfXsyKL4whMYKGHI0NDw>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for <behave@ietf.org>; Sun, 6 Feb 2022 21:17:53 -0500 (EST)
Message-ID: <1b8e589e-7275-2eea-0c0a-982824f6ed7f@network-heretics.com>
Date: Sun, 06 Feb 2022 21:17:52 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com> <433b1ae1-aa29-8d85-2e03-25cfc669c654@posteo.de>
From: Keith Moore <moore@network-heretics.com>
In-Reply-To: <433b1ae1-aa29-8d85-2e03-25cfc669c654@posteo.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/erAdxEAqyU3eWCkVdxaVqmlhFb4>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 02:18:06 -0000

On 2/6/22 21:04, Klaus Frank wrote:

>
> On 2022-02-07 01:58, Dan Wing wrote:
>> The philosophy in RFC3338 became 464XLAT, 
>> https://datatracker.ietf.org/doc/html/rfc6877
> Right, deploying a CLAT as 464XLAT has would also be a possibility. 
> But then the node would be dualstack again and not IPv6 only. That 
> would also add administrative overhead compared to NAT64+DNS64 which 
> can be deployed on the provider side only.
>> As for the DNS64 issue, could the application become NAT64-aware and 
>> do the SPF rewriting itself? See 
>> https://datatracker.ietf.org/doc/html/rfc7050 which discusses how 
>> that can work on the local application.
>
> I also sent this request to the spfbis mailinglists. And there is also 
> currently a discussion on this topic and this has been mentioned 
> before. The Tl;Dr of it is the argument on one side that as DNS64 
> already rewrites the DNS and is intended to provide a IPv6 only few of 
> the dualstack DNS. Therefore it would also be fair for anyone relying 
> on it to assume that it rewrites entries like the SPF record (which 
> counter intuitively is currently prohibited by the RFC). And on the 
> other side adding a reference to RFC7050 and RFC8880 to the SPF one 
> and patch the library because the it would require that the DNS64 
> server parses through all TXT records which can contain arbitrary data 
> in combination with the SPF record. It was also mentioned that this 
> could require a new informational RFC to be written containing 
> implementation recommendations and an evaluation of what other 
> problems mail server admins could have with ipv6 only networks.

One problem is, the NAT64 cannot notice every occurrence of an IPv4 
address in every protocol that might reach a host on the "inside" and 
correctly know whether it should translate the address.  It's simply 
impossible for a variety of reasons - the NAT can't track every 
protocol, and it doesn't have cleartext access to all of the traffic 
flowing through it.   Even something as relatively simple as trying to 
translate FTP PORT commands didn't work well.

Another problem is, what you are proposing is an incompatible change, 
which would then require SMTP servers or other spam appliances to adapt 
to the specific NAT64 model and version in use to know whether they 
should respect an SPF record.

The net is far better off if individual SMTP servers or spam filtering 
appliances can be configurable to translate the SPF records themselves, 
and NOT expect NAT64s to do it.   NAT is bad enough without changing how 
it works every time a new protocol is found that needs special handling.

>
>> A problem with rewriting SPF records within DNS64 is that other IPv4 
>> addresses may well appear in TXT records, throwing a loop to 
>> applications which won't know if the DNS64 has done rewriting or if 
>> the application needs to do rewriting.  A long-standing problem with 
>> NAT "support" for applications since the days of FTP PASV.
>>
>> I will also +1 Keith's comment that SPF is a borked standard, even if 
>> the world had no NATs.  DKIM and DMARC are superior.
> We've reached common ground on the dismissal of NAT and SPF as failed 
> standards. But neither of our opinions will change that both are 
> broadly used, industry favored and therefore we'll having to be dealt 
> with them. 

Yes, NATs need to be dealt with.  And the way to deal with them is to 
adopt IPv6 wholesale and deprecate NATs, with extreme prejudice, as soon 
as possible.   That won't stop people from using them anyway, but it 
might discourage people from expecting NATs to forever be patched to 
accommodate every new application that they break.

And what is IETF's purpose if not to communicate to the industry how the 
Internet will evolve?   Insisting that IETF must do whatever the 
industry does gets it exactly backwards.   The industry will always 
paint itself into corners without some adult supervision, because that's 
what maximizes short-term profit.

Keith

p.s. I was just thinking of something I heard in 1980, from a friend who 
worked at Xerox PARC: "The problem with smart intermediaries..." (what 
we'd now call middleboxes) "is that they have to be smarter than their 
endpoints."   And that's why it's always been obvious to me not only 
that NATs were a Bad Idea, but also why.

v2.23.0 | Report a Bug | By Email