IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Mon, 07 February 2022 02:04 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1FFD3A1178 for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:04:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mQKl8QnQxcvg for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:04:19 -0800 (PST)
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC10D3A116F for <behave@ietf.org>; Sun, 6 Feb 2022 18:04:18 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id A9958240026 for <behave@ietf.org>; Mon, 7 Feb 2022 03:04:14 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644199454; bh=GcqeleFbLsen0gGvt0juhHCe6iVCS2b99wDp9rDEG5c=; h=Date:Subject:To:From:From; b=NaueyKGKjRcygcCuwjcbgD08UoZH7TsOyHhHTjz9VeTpKlFP5iBl4nuXTgHoQVZKH 3AZeFsx6OXlD2hbYDhxWzSlakTgnKSLqGFQbM7WauUdkJrYWgbu1pfbn1/OCpn2/55 0hhcBa5mhoW70IVI2zhXPKUx2GGVK5oUJy2h7tVX/DH16Z282terdxIrG/7V098Aeq vojSHvLK9ruUYZNh7PAj94qOcsYiW0TraeAbC58fE5Q1BZtFXXtDcI/Yk8M8cxB9zo Hi+suosoHLVVOjesT0rHjZN4bFDePB8QEy5aOawcMeryGapEdOGWHhGymcxpZw4Okr VtEiS7vB0Z1Vw==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4JsTwF4P2Dz6tq5 for <behave@ietf.org>; Mon, 7 Feb 2022 03:04:13 +0100 (CET)
Message-ID: <433b1ae1-aa29-8d85-2e03-25cfc669c654@posteo.de>
Date: Mon, 07 Feb 2022 02:04:11 +0000
MIME-Version: 1.0
Content-Language: en-US
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms000709010205020805060004"
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/rgUR4ebvUvCAg1ysheuyIECMab8>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 02:04:35 -0000

On 2022-02-07 01:58, Dan Wing wrote:
> The philosophy in RFC3338 became 464XLAT, https://datatracker.ietf.org/doc/html/rfc6877
Right, deploying a CLAT as 464XLAT has would also be a possibility. But 
then the node would be dualstack again and not IPv6 only. That would 
also add administrative overhead compared to NAT64+DNS64 which can be 
deployed on the provider side only.
> As for the DNS64 issue, could the application become NAT64-aware and do the SPF rewriting itself?  See https://datatracker.ietf.org/doc/html/rfc7050 which discusses how that can work on the local application.

I also sent this request to the spfbis mailinglists. And there is also 
currently a discussion on this topic and this has been mentioned before. 
The Tl;Dr of it is the argument on one side that as DNS64 already 
rewrites the DNS and is intended to provide a IPv6 only few of the 
dualstack DNS. Therefore it would also be fair for anyone relying on it 
to assume that it rewrites entries like the SPF record (which counter 
intuitively is currently prohibited by the RFC). And on the other side 
adding a reference to RFC7050 and RFC8880 to the SPF one and patch the 
library because the it would require that the DNS64 server parses 
through all TXT records which can contain arbitrary data in combination 
with the SPF record. It was also mentioned that this could require a new 
informational RFC to be written containing implementation 
recommendations and an evaluation of what other problems mail server 
admins could have with ipv6 only networks.

> A problem with rewriting SPF records within DNS64 is that other IPv4 addresses may well appear in TXT records, throwing a loop to applications which won't know if the DNS64 has done rewriting or if the application needs to do rewriting.  A long-standing problem with NAT "support" for applications since the days of FTP PASV.
>
> I will also +1 Keith's comment that SPF is a borked standard, even if the world had no NATs.  DKIM and DMARC are superior.
We've reached common ground on the dismissal of NAT and SPF as failed 
standards. But neither of our opinions will change that both are broadly 
used, industry favored and therefore we'll having to be dealt with them. 
And I rather have NAT64+DNS64 than dualstack with NAT44 (or sometimes 
NAT444). It's already bad enough that the k8s people want to advocate 
for NAT66 because of a false sense of security. But that's a topic for 
another day...
> -d
>> On Feb 6, 2022, at 4:47 PM, Klaus Frank <klaus.frank@posteo.de> wrote:
>>
>> This is neither helpful nor constructive.
>>
>> But if you really want to talk about spilled milk, why don't we talk about RFC3338 then? If that one is a bit polished it could completely eliminate the need for NAT64. But it was dropped in the process and never got past Experimental. I'd have some ideas on how to make it fly, but I don't see value in following up an RFC that was dropped 20 years ago and diverge from a bad but industry favored solution (NAT64) that compared to RFC3338 has seen adoption and is also already used in the wild...
>>
>> On 2022-02-07 01:41, Keith Moore wrote:
>>> On 2/6/22 19:38, Klaus Frank wrote:
>>>
>>>> I can understand you. I also don't like NAT. And I would also have favored different migration paths from IPv4 to IPv6. But NAT64+DNS64 is the one we got. I'm sure there have been discussions earlier. I didn't want to resume or repeat those discussions. I'm certain there are valid reasons for why we have the current migration paths and that the pros and cons of different strategies have been covered adequately.
>>>>
>>>> Nonetheless DNS64 is incomplete without also addressing the SPF record.
>>>>
>>> Disagree.  DNS64 is inherently incomplete and cannot be fixed.  I will strongly object to any effort to further pollute DNS in the name of making NAT appear to work.
>>>
>>> Keith
>>>
>>>
>>> _______________________________________________
>>> Behave mailing list
>>> Behave@ietf.org
>>> https://www.ietf.org/mailman/listinfo/behave
>> _______________________________________________
>> Behave mailing list
>> Behave@ietf.org
>> https://www.ietf.org/mailman/listinfo/behave
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email