IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

marcelo bagnulo braun <marcelo@it.uc3m.es> Mon, 07 February 2022 06:40 UTC

Return-Path: <marcelo@it.uc3m.es>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA8563A0126 for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 22:40:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.713
X-Spam-Level:
X-Spam-Status: No, score=-7.713 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=it.uc3m.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2UK4lPpmIr3E for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 22:40:29 -0800 (PST)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0513F3A0115 for <behave@ietf.org>; Sun, 6 Feb 2022 22:40:28 -0800 (PST)
Received: by mail-ej1-x632.google.com with SMTP id m4so39085785ejb.9 for <behave@ietf.org>; Sun, 06 Feb 2022 22:40:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=it.uc3m.es; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=fmJuJq+PkHuqlwnhAjmZYsr5UK5PDyuLz9tgAc3XnuE=; b=h/dJv3W8ZLr/hi/m5mNUAu/Ylm93lA5Pa/W9TnjsLUYfHjBJJam0fn6+ejaQTCAXQ5 xcfYzvVC8V1R93mYz3YezfPA85LCIzUNQVJRgBROOTthB7u9draBgoFQ1rV+oWbXrrgX yrKSyIrVTM7kv2LU+QiMUDs4qqBhcHQeZ/w4XS38n9orJPipdpNJFkqiM4msiQjdB+CD SzxUXnH9BGmu4xvTaxDWa5+1+g76gWSJv+tB3gcusxrlGxQ/aCYj2LXAQqZ5y53hGsf+ k8LiiVzYCJOokHx335tGcwl4+wjtvw1YVN4wG/fINF7ZoS7NSXERb87yfM9vqOBwm1vh nuAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=fmJuJq+PkHuqlwnhAjmZYsr5UK5PDyuLz9tgAc3XnuE=; b=Vq2CEcGyZ20XcfWbs8e9EkedYN6Qd86IVj7ON2nfbhmqpmrSxIbJ7wSCXZoibBR5/K PN8jXAqPIyUbDzNzycy695EKEoUP/US4YIksQzLZNLo65fh+TwT1vvdc7btlbxGzxrq1 ItzsjtD184nYduD57hAgv+tlAwNoAjN/LcaTv+OUXrJp6C2udVlAk3qOcct+S1q7c7bE qsGMwGZy1JwFmLKNsUiNnemUrofabQJXW75Xc4mIFvintvp4gpJliHvWc7XCR6Ri2pQa vTYlmaWrPxAGSYTlp6IZ44oPNUPgQRhnh5sFbXJMgoG4RJyck4e295wuZEoyz9IIdwGa 1pFA==
X-Gm-Message-State: AOAM531UsxUS2acc2FIkfdyFwPcr0qiv4HS6fzWxgmg9GLQJAHx5KvwR MnnUJE80GNeTe1kKYlfTiffTcYGI6l3o24WT
X-Google-Smtp-Source: ABdhPJzdoBcHlEXVXVjswsFCtgRMoORpUclSmQn+W0W1QaBykjx4/O3osoVkQFib+VY05HjF+OeOKQ==
X-Received: by 2002:a17:907:94c7:: with SMTP id dn7mr8717348ejc.101.1644216025983; Sun, 06 Feb 2022 22:40:25 -0800 (PST)
Received: from [10.118.28.105] ([163.117.64.17]) by smtp.gmail.com with ESMTPSA id ce2sm1572634ejb.9.2022.02.06.22.40.25 for <behave@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 06 Feb 2022 22:40:25 -0800 (PST)
Message-ID: <5a74c013-64f4-381f-9cfc-fe9ee573abda@it.uc3m.es>
Date: Mon, 07 Feb 2022 07:40:25 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-GB
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com>
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
In-Reply-To: <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/krXQnIbc9iKzU9Fz62mJsIlJWHo>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 06:40:35 -0000

below...

El 6/2/22 a las 23:18, Keith Moore escribió:
> On 2/6/22 13:09, Klaus Frank wrote:
>
>> Hi,
>>
>> we had some issues with SPF and a mail server that was behind 
>> NAT64+DNS64. I at first thought that it was just a misconfiguration. 
>> But after the DNS64 server seamed to work as intended I went to the 
>> implementation and the RFC. Thereby while reading RFC6147 I stumbled 
>> across section 5.3.3 which says "All other RRs MUST be returned 
>> unchanged." which is the cause of my issues. This section is 
>> basically ignoring SPF records (RFC7208 section 5.6) and also 
>> preventing DNS64 implementations from addressing this limitation.
>>
>> Would it be possible to create an extension to RFC6147 that mandates 
>> SPF record rewrites as well? Otherwise Mail servers behind 
>> NAT64+DNS64 in IPv6 only environments won't be able to work as expected.
>>
>> Like:
>> If the DNS64 server receives a SPF-record (within either the TXT-RR 
>> or the SPF-RR [RFC4408]) containing the "ip4" mechanism it MUST 
>> rewrites the ipv4 address according to the same rules as A-records 
>> are and synthesizes a new SPF record within the response that 
>> contains additional "ip6" entries. The original "ip4" should not be 
>> removed from the response.
>
> PLEASE do not try to make DNS reflect any more NAT alterations to 
> reality.  That was ALWAYS a Bad Idea.   If you're going to operate 
> application servers behind any kind of NAT, what you need to do is 
> arrange for those application servers to somehow get a view of the 
> external/global addresses that they're communicating with, even if the 
> source IP addresses that they see aren't the real ones.  (If NATs had 
> been done "right" there would be an API for this, supported by all 
> NATs.   But that ship sailed decades ago.)
>

My guess is that NAT was done wrong because the IETF decided against 
standardizing NATS in due time because it was a kludge that should not 
be done, maybe?

NATs are reality (I hope we all agree with that). I guess it is more 
productive to try to provide guidance about how to make them as harmfull 
as possible rather that ignore them, provide no guidance and end up with 
all possible version of NATs, including the worst possible ones.

Regards, marcelo

> More generally, NAT is inherently unfixable, and trying to fix it can 
> only result in infinitely growing complexity and brokenness. It's the 
> usual problem with telling lies: every lie you tell needs N additional 
> lies to cover up the earlier lies and so on recursively.
>
> (also, relying on SPF records is ill-advised, as they're too likely to 
> be out-of-sync with reality even without NATs in the picture. )
>
> Keith
>
>
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email