Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
Klaus Frank <klaus.frank@posteo.de> Mon, 07 February 2022 02:04 UTC
Return-Path: <klaus.frank@posteo.de>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1FFD3A1178 for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:04:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mQKl8QnQxcvg for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:04:19 -0800 (PST)
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC10D3A116F for <behave@ietf.org>; Sun, 6 Feb 2022 18:04:18 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id A9958240026 for <behave@ietf.org>; Mon, 7 Feb 2022 03:04:14 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644199454; bh=GcqeleFbLsen0gGvt0juhHCe6iVCS2b99wDp9rDEG5c=; h=Date:Subject:To:From:From; b=NaueyKGKjRcygcCuwjcbgD08UoZH7TsOyHhHTjz9VeTpKlFP5iBl4nuXTgHoQVZKH 3AZeFsx6OXlD2hbYDhxWzSlakTgnKSLqGFQbM7WauUdkJrYWgbu1pfbn1/OCpn2/55 0hhcBa5mhoW70IVI2zhXPKUx2GGVK5oUJy2h7tVX/DH16Z282terdxIrG/7V098Aeq vojSHvLK9ruUYZNh7PAj94qOcsYiW0TraeAbC58fE5Q1BZtFXXtDcI/Yk8M8cxB9zo Hi+suosoHLVVOjesT0rHjZN4bFDePB8QEy5aOawcMeryGapEdOGWHhGymcxpZw4Okr VtEiS7vB0Z1Vw==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4JsTwF4P2Dz6tq5 for <behave@ietf.org>; Mon, 7 Feb 2022 03:04:13 +0100 (CET)
Message-ID: <433b1ae1-aa29-8d85-2e03-25cfc669c654@posteo.de>
Date: Mon, 07 Feb 2022 02:04:11 +0000
MIME-Version: 1.0
Content-Language: en-US
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms000709010205020805060004"
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/rgUR4ebvUvCAg1ysheuyIECMab8>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 02:04:35 -0000
On 2022-02-07 01:58, Dan Wing wrote: > The philosophy in RFC3338 became 464XLAT, https://datatracker.ietf.org/doc/html/rfc6877 Right, deploying a CLAT as 464XLAT has would also be a possibility. But then the node would be dualstack again and not IPv6 only. That would also add administrative overhead compared to NAT64+DNS64 which can be deployed on the provider side only. > As for the DNS64 issue, could the application become NAT64-aware and do the SPF rewriting itself? See https://datatracker.ietf.org/doc/html/rfc7050 which discusses how that can work on the local application. I also sent this request to the spfbis mailinglists. And there is also currently a discussion on this topic and this has been mentioned before. The Tl;Dr of it is the argument on one side that as DNS64 already rewrites the DNS and is intended to provide a IPv6 only few of the dualstack DNS. Therefore it would also be fair for anyone relying on it to assume that it rewrites entries like the SPF record (which counter intuitively is currently prohibited by the RFC). And on the other side adding a reference to RFC7050 and RFC8880 to the SPF one and patch the library because the it would require that the DNS64 server parses through all TXT records which can contain arbitrary data in combination with the SPF record. It was also mentioned that this could require a new informational RFC to be written containing implementation recommendations and an evaluation of what other problems mail server admins could have with ipv6 only networks. > A problem with rewriting SPF records within DNS64 is that other IPv4 addresses may well appear in TXT records, throwing a loop to applications which won't know if the DNS64 has done rewriting or if the application needs to do rewriting. A long-standing problem with NAT "support" for applications since the days of FTP PASV. > > I will also +1 Keith's comment that SPF is a borked standard, even if the world had no NATs. DKIM and DMARC are superior. We've reached common ground on the dismissal of NAT and SPF as failed standards. But neither of our opinions will change that both are broadly used, industry favored and therefore we'll having to be dealt with them. And I rather have NAT64+DNS64 than dualstack with NAT44 (or sometimes NAT444). It's already bad enough that the k8s people want to advocate for NAT66 because of a false sense of security. But that's a topic for another day... > -d >> On Feb 6, 2022, at 4:47 PM, Klaus Frank <klaus.frank@posteo.de> wrote: >> >> This is neither helpful nor constructive. >> >> But if you really want to talk about spilled milk, why don't we talk about RFC3338 then? If that one is a bit polished it could completely eliminate the need for NAT64. But it was dropped in the process and never got past Experimental. I'd have some ideas on how to make it fly, but I don't see value in following up an RFC that was dropped 20 years ago and diverge from a bad but industry favored solution (NAT64) that compared to RFC3338 has seen adoption and is also already used in the wild... >> >> On 2022-02-07 01:41, Keith Moore wrote: >>> On 2/6/22 19:38, Klaus Frank wrote: >>> >>>> I can understand you. I also don't like NAT. And I would also have favored different migration paths from IPv4 to IPv6. But NAT64+DNS64 is the one we got. I'm sure there have been discussions earlier. I didn't want to resume or repeat those discussions. I'm certain there are valid reasons for why we have the current migration paths and that the pros and cons of different strategies have been covered adequately. >>>> >>>> Nonetheless DNS64 is incomplete without also addressing the SPF record. >>>> >>> Disagree. DNS64 is inherently incomplete and cannot be fixed. I will strongly object to any effort to further pollute DNS in the name of making NAT appear to work. >>> >>> Keith >>> >>> >>> _______________________________________________ >>> Behave mailing list >>> Behave@ietf.org >>> https://www.ietf.org/mailman/listinfo/behave >> _______________________________________________ >> Behave mailing list >> Behave@ietf.org >> https://www.ietf.org/mailman/listinfo/behave > _______________________________________________ > Behave mailing list > Behave@ietf.org > https://www.ietf.org/mailman/listinfo/behave
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Marc Blanchet
- [BEHAVE] RFC6147 and RFC7208 interoperability iss… Klaus Frank
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Dan Wing
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… David Conrad
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… David Conrad
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… David Conrad
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… JORDI PALET MARTINEZ
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Dan Wing
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Dan Wing
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Hector Santos
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Mark Andrews
- Re: [BEHAVE] [spfbis] RFC6147 and RFC7208 interop… Mark Andrews
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… marcelo bagnulo braun
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… mohamed.boucadair
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Keith Moore
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Christian Huitema
- Re: [BEHAVE] RFC6147 and RFC7208 interoperability… Klaus Frank