IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Christian Huitema <huitema@huitema.net> Mon, 07 February 2022 02:14 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2BFF3A1195 for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:14:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgPYOjjku_YY for <behave@ietfa.amsl.com>; Sun, 6 Feb 2022 18:14:03 -0800 (PST)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B2E53A1192 for <behave@ietf.org>; Sun, 6 Feb 2022 18:13:34 -0800 (PST)
Received: from xse441.mail2web.com ([66.113.197.187] helo=xse.mail2web.com) by mx259.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1nGtWo-0002Dq-GS for behave@ietf.org; Mon, 07 Feb 2022 03:13:31 +0100
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4JsV6c3tTyz9b1 for <behave@ietf.org>; Sun, 6 Feb 2022 18:13:12 -0800 (PST)
Received: from [10.5.2.16] (helo=xmail06.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1nGtWi-0003GX-Dr for behave@ietf.org; Sun, 06 Feb 2022 18:13:12 -0800
Received: (qmail 13819 invoked from network); 7 Feb 2022 02:13:11 -0000
Received: from unknown (HELO [192.168.1.105]) (Authenticated-user:_huitema@huitema.net@[172.58.46.218]) (envelope-sender <huitema@huitema.net>) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for <moore@network-heretics.com>; 7 Feb 2022 02:13:11 -0000
Message-ID: <e95993e4-4166-4b3d-1637-8ca451b093b6@huitema.net>
Date: Sun, 06 Feb 2022 18:13:12 -0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: Keith Moore <moore@network-heretics.com>, behave@ietf.org, Klaus Frank <klaus.frank@posteo.de>
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com> <6123a322-e9a7-7f90-391f-9b4c4461ce45@network-heretics.com>
From: Christian Huitema <huitema@huitema.net>
In-Reply-To: <6123a322-e9a7-7f90-391f-9b4c4461ce45@network-heretics.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Originating-IP: 66.113.197.187
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5zVVrN4oC+7+v6H1pDHwMpu42UuDhyzVYcwl2RB+0Aaenk8 E09CZAP/fK9eYT8+3TMh55uqY3MhMgFAHq5BxPxPXn36fLqvhISQ5ykyqUZqUd1jhnM/Mbva2XLV /LIEzaL2KoAZhJekBPedneT7f699iwgQ+2yl7BoDncKB+ziACIPAgTtUp75uqlx0KezvZHVrtC+3 u7imVaHvXwOgpH/5WQaaSSaRcFTFxaRvADgOuFdAU5fRzM/QzQW9/IoH33AG8ECuCwECazCwODtO F78PiyQEs+dlGXUJLWZ+Gc08Nmllke3azHdKmySKNUVQl4ntlVxnbS8qIO7oudHyb2T1VQ58xe/l rqiRGalI3YPsxOTrFXToVyBmRCgQVX6zVyFUu8qzeMQP6uTHL0d9UjfY+eX5ZvcELCIKs663F/co VFYFvf25LVONYbYifH5OzZDcG6hsRQZiAIgw+z837AqgX7ewI8e1h7RITgN14BHmGVt/ReJ9Mfhz zmbKTH7wI9GEU1utNskUAORCV2WFZX0jvQDJ+ubUA3pW9vyNwhNtqaTeVLW3pB0Q/PTyowo5Afv6 LkS0hTusOK1bceu/hDsBCFXoGKtafvOtcW/mP16byrL/nwvREHuP3/Ps3A4Pt7hRyBl07OVp2D/S 9ogT8aIX6abOyKlLsxs8P4CT3FEuGwuxQq7ueHGtTj/d/kQbISOC1AI9a3irbifzymzQYX+PmkZt v+XJkvG9QHv+K6ZFSUhaWEjXg95NhwIVc4EkVQKKuZkMyFBGaEBYeh6pTEjUV1/Kwny5K9D9hSXp 14pgnX6m+UeFXprlCOm3BAEbJtAT1BYHStA0OogdNtRxnRSLF+XCKxIG9XMEgRDdaWpvCv+zESlk TxdSCNcDfRohcehWBb39uS1TjWG2Inx+Ts2QNOYPIz4ynMa7pZQ4hi/HGtuWeHzx9sLaQmDwvYQn 76e9NXttZBkk6PeFqH6So31P
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/tLw-8GIeFVSHbGklWOEbOkJsJ5Q>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 02:14:10 -0000

On 2/6/2022 5:52 PM, Keith Moore wrote:
> On 2/6/22 19:58, Dan Wing wrote:
>
>> A problem with rewriting SPF records within DNS64 is that other IPv4 
>> addresses may well appear in TXT records, throwing a loop to 
>> applications which won't know if the DNS64 has done rewriting or if 
>> the application needs to do rewriting.  A long-standing problem with 
>> NAT "support" for applications since the days of FTP PASV.
>
> +1
>
> In general the problem with NATs is that they try to hide what they're 
> doing from applications.   But they are never completely successful at 
> that, and they cannot be.    And it's often difficult for the 
> application to work-around the damage caused by the NAT.  In 
> hindsight, it would have been far better for NATs to always be 
> explicitly visible to applications; then at least the applications and 
> NATs wouldn't be trying to second-guess one another.
>
> But that's water under the bridge.   At this point the best thing that 
> can be done is to transition to IPv6 only (except for some legacy 
> hardware on local networks), and eradicate NATs as soon as possible.


DNS64 is a kludge. It looked like a good idea at the time, but there are 
many corner cases. For example, it is well known to not be compatible 
with specifications like DNSSEC. DNS64 also breaks completely is the 
local host uses an encrypted DNS connection (e.g. DoH) to a secure DNS 
resolver. Klaus raises yet another issue: the local SMTP server will see 
incoming connections from an IPv6 address that bears no relation to what 
is in the SPF record of the remote source. This is pretty much the same 
problem as DNSSEC, and the solution is pretty much what is defined in 
Section 6.2. of RFC 6147: "the validator must know how to perform the 
DNS64 function itself". That means the SMTP server should:

1) Know the local NAT64 prefix

2) Recognize that the incoming connection is from the local NAT64 prefix,

3) Perform the reverse translation to retrieve the original IPv4 address,

4) Acquire the original version of the SPF record, either through the 
DNS64 server or through a secure server,

5) Check that the original IPv4 address matches.

Of course, doing that require special code in the SMTP server to handle 
NAT64. But that's pretty much the only solution.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email