IETF Logo Mail Archive

Re: [dmarc-ietf] Protocols All The Way Down (long - sorry)

Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 12 July 2023 01:18 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64160C15154E for <dmarc@ietfa.amsl.com>; Tue, 11 Jul 2023 18:18:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R47uGGNwetGG for <dmarc@ietfa.amsl.com>; Tue, 11 Jul 2023 18:18:21 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47ED2C14CF1D for <dmarc@ietf.org>; Tue, 11 Jul 2023 18:18:21 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2b703caf344so98844541fa.1 for <dmarc@ietf.org>; Tue, 11 Jul 2023 18:18:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689124699; x=1691716699; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=AciOTVr7aEp5PdcSQ2X/wCA40s07mrgd++PcVmsqvTY=; b=N1hvmsSDL7EltE9dwUg+tGVGixpGKNGH84pegyIjM6jKe65fM9OBpBSrI3yR4W/6GI GueXVyEc9c6zvrp2mRYO/Q8gQxWRJHKRUP/ch++aD41cwjqmrWKhH4DlVo/QPTR40Jn3 dF2PSsmhlrNYAtfOZd5YZSD9JiuCE3voEOgk0cUR13mJaZ1ozLeRQMe2CQPkchC/HETa 5QnLiogPAscGGef4kv1LveWHyN9iVRMY4KKybHnGn6uwhCZ24caMqoOokIDKrBdYH4oO 6B0p5VhkY18rAf4vSME29HVR9dl5ywZE5gZdmMO9Za0/krTKMqyWIkFbbI3kDYg9Tme6 /awQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689124699; x=1691716699; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AciOTVr7aEp5PdcSQ2X/wCA40s07mrgd++PcVmsqvTY=; b=UzQe8Mqo4p79A3CtcozPe4M9NjjHTdsLc5l4FAzn9LOe4+dCeiZcUZpz3869E1ys03 npyAJpC2GJlBAMopAJ/qyp1Nn1zec/7dtOCpMR+UoZFpbecgudlPMfT1pzPXd+zBcK5K 71L0Cqg8cERmxgLNfRGb5DxMBN8UG6WSgawI66U6OZjC0+LEB+7DYRNZVRL6HeuZ/ssX LZm7jLvyn9TKdvoYKbba0HUv66kXOK4BF1hswe5DuOiH7X3nBYlj4BdJBEWR+y4gd2NG moKaluCXbK0PLD8zQ/eBVQQ1ODcs0fex6H4iX13LJqaaqafWpgsO5PGn12hpOn62yugB EECw==
X-Gm-Message-State: ABy/qLYEcoDWnawCOsORNBhaGoft1kgZem5EhDz/fTdMgK+oxpsWHZW1 pB1Q6Jqt35hWMFi/MeFezKl1eREkAV3pOYMP/T3IjnEJ
X-Google-Smtp-Source: APBJJlHObNqsOtBikFnI6kK8bpqS38/ua73DpKMHYwtlKHPq0kwxCOyMmr4MTY66VMVhC+n5rD1Pg2XNKzYsFwS6k5M=
X-Received: by 2002:a2e:8295:0:b0:2b6:e623:7b57 with SMTP id y21-20020a2e8295000000b002b6e6237b57mr13761871ljg.25.1689124698613; Tue, 11 Jul 2023 18:18:18 -0700 (PDT)
MIME-Version: 1.0
References: <45652091.fMDQidcC6G@l5580-debian> <CAAFsWK0Hdf8X=KDE_iJ7coFan-jGZi-oMaBgc3aH4s9P2bmxaQ@mail.gmail.com>
In-Reply-To: <CAAFsWK0Hdf8X=KDE_iJ7coFan-jGZi-oMaBgc3aH4s9P2bmxaQ@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Tue, 11 Jul 2023 21:18:09 -0400
Message-ID: <CAH48ZfxGkXKXwtcpJvvptZT8XAiggZAaAULTFXuMqCNhkoy1tA@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a46a9f06003ffd87"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/OIv5kwji7izdgOB-UszGAAC-Kgo>
Subject: Re: [dmarc-ietf] Protocols All The Way Down (long - sorry)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jul 2023 01:18:25 -0000

So we disable SPF when the sender tells us to do so., but leave it enabled
by default    That makes a lot of sense to me.

When the domain passes SPF on a shared server farm, but provides no DKIM
signatures, I currently have no choice other than to consider the message
to be authenticated.  The AUTH token will provide that reason.

Hosting services could insist that senders configure DKIM, but that seems
to be a pipe dream.

Doug

On Tue, Jul 11, 2023, 8:50 PM Wei Chuang <weihaw=40google.com@dmarc.ietf.org>
wrote:

> The data we presented June 20th (archive
> <https://mailarchive.ietf.org/arch/msg/dmarc/KeGbMfX91WJk_aziKsrRfI6AYkI/>)
> also suggests that it is premature to drop SPF from DMARC.  However I
> differ in believing that we should accept the spoofing risk demonstrated
> recently via SPF, and that we shouldn't strive to reduce it by making
> improvements to DMARC and possibly SPF.  One approach is to enable
> different senders to distinguish their differing levels of risk and
> infrastructure by letting them specify an "auth=" flag proposed on the
> 20th
> <https://mailarchive.ietf.org/arch/msg/dmarc/KeGbMfX91WJk_aziKsrRfI6AYkI/>.
> For example a mom-and-pop sender on their own infrastructure with their own
> IPs will have a different profile than a risky, enterprise sender on shared
> IPs.  The former would be reasonably safe using SPF and would benefit most
> from using it.  The latter should use DKIM authentication only due to the
> risk of SPF upgrade spoofing and the phishing exposure.  I describe some
> additional ideas about how to use "auth=" flag with different risk and
> infrastructure stratification on the DKIM list on July 3rd (archive
> <https://mailarchive.ietf.org/arch/msg/ietf-dkim/6ms55apP0RtLzr34CCgjWRYkVsA/>
> ).
>
> And FWIW I don't think mom-and-pop senders will find it that hard to adopt
> DKIM if sufficiently motivated.  For example for BIMI on Gmail, we now
> require DKIM-only authentication.  Indeed a new BIMI sender that I perceive
> to be running literally a "mom-and-pop" produce shop was using SPF
> authentication and was confused as to why their logo wasn't showing.  After
> explaining the requirement they were able to move to DKIM authentication in
> one day.  Yes, it did take explaining twice what was happening, but they
> were able to deploy DKIM on their own and got their logo to show up.
>
> Also can we do more to harden SPF?  The SPF upgrade attacks needs three
> things:
>
>    - IPs shared by multiple sending domains
>    - Some sender uses those IPs that permits spam and phish traffic
>    - Those multiple sending domains have SPF policies that include those
>    IPs
>
> Perhaps one way to harden to SPF for DMARC is to detect if the IPs are
> shared.  The authenticator in addition to regular to SPF validation, might
> be able to use reverse PTR lookup and match the SPF record domain name (or
> match some subset like the org domain) to forward validate.  Only one
> domain can claim ownership for the IPs and be allowed to SPF authenticate
> for DMARC.
>
> -Wei
>
> On Mon, Jul 10, 2023 at 5:38 PM Scott Kitterman <sklist@kitterman.com>
> wrote:
>
>> I've been thinking about the thread on ditching SPF relative to DMARC.
>>
>> DMARC is built on other protocols.  Piles of them.
>>
>> DMARC is built most directly on DNS, DKIM, and SPF.  It is also built on
>> SMTP
>> and Email.  DKIM and SPF are also built on DNS and SMTP (SPF) or Email
>> (DKIM).
>> These protocols are built on others.  All of them have flaws and
>> limitations.
>>
>> As an example, although each of the three top level protocols in this
>> particular stack depend on data from DNS being reliable, they merely
>> counsel
>> caution about DNS spoofing, they don't mandate DNSSEC.  Note that other
>> protocols have different choices in this regard (e.g. DANE).
>>
>> We accept the risk of DNS spoofing associated with non-DNSSEC secured DNS
>> because the view is that the benefit to deployability of SPF, DKIM, and
>> DMARC
>> is sufficient to offset the risks.
>>
>> What are the risks?  Since DNS spoofing is not particularly easy since
>> Dan
>> Kaminsky got everyone to implement source port randomization [1].  I
>> think
>> it's reasonable to assume if an actor is going to the trouble to spoff
>> SPF/
>> DKIM/DMARC records, then it's to try and get a 'bad' message to appear
>> authentic.  I'm not aware of this being a significant problem (probably
>> since
>> there are easier ways to do it), so I think the design decision to not
>> limit
>> these protols to DNSSEC protected domains is a reasonable one.
>>
>> Similarly, SPF pass results can be leveraged to a DMARC a DMARC pass
>> result if
>> an actor can manage to get a third party provider to accept mail to be
>> sent
>> with the victim domain's mail from when that domain has listed that third
>> party as a source of authorized mail.  RFC 7208 warns about this risk {2}.
>>
>> DKIM has different risks.  The cryptographic mechanism used by DKIM is
>> meant to
>> provide strong, but limited duration assurance that an email was sent
>> through
>> a mail server authorized to do so and additionally that it has not been
>> modified in certain ways since.  This has not always worked out well
>> [3].  It
>> only took the IETF six years to address the issue [4].  Additionally, for
>> some
>> types of senders, they can be vulnerable to replay if they sign on 'bad'
>> message in error.  This is an issue that was identified during DKIM's
>> development and warned about in the protocol documentation [5].
>>
>> This might all seem terrible, but it's really not.  If you look that the
>> goals
>> of DMARC (current draft section 2.1), they are modest.  Specific to this
>> particular question:
>>
>>    *  Allow Domain Owners and PSOs to assert their desired message
>>       handling for authentication failures for messages purporting to
>>       have authorship within the domain.
>>
>>    *  Reduce the amount of successfully delivered spoofed emails.
>>
>> The risks associated with all the above issues are that there are cases
>> where
>> 'bad' messages pass DMARC and so the domain owner/PSO policy is not
>> applied.
>> Given that none of these protocols are perfect (and the risks extend much
>> further than these I've highlighted), there are always going to be
>> messages
>> that get marked DMARC pass that are 'bad'.  Fundamentally 'good' and
>> 'bad'
>> aren't fully reducible to a protocol and the gaps between the protocol
>> and
>> human judgement will always exist.
>>
>> Any message that passes DMARC should still be sugject to the normal spam/
>> phising prevent processing done by receivers.  Just because you got an
>> email
>> from bigbank.example which passed DMARC, doesn't mean that it might not
>> have
>> been sent through a compromised desktop in bigbank.example's office that
>> has the
>> least professionally run information secuirty opreation.
>>
>> DMARC is going to have false positives and false negatives and those need
>> to
>> be considered by implementers when assessing how to use DMARC.  The
>> 'problem'
>> with DMARC (including the 'problem' with SPF in DMARC) only arises when
>> DMARC
>> results are used in ways that were never intended.  By design and based
>> on the
>> goals of DMARC, a DMARC pass result doesn't carry any guarantee that any
>> particular email was in fact sent legitimately by the organization that
>> claimed to send it, but unfortunately, people are assuming it does [6].
>>
>> As I've said before, I don't think dropping SPF from DMARC is a good idea
>> and
>> I don't think it will usefully solve the problem that proponents of
>> dropping
>> think it will solve.  I do think we need to do something in the draft to
>> address the overall question of the reliability of the DMARC assertion
>> that a
>> particular message is authorized/has been authenticated.
>>
>> The think that the current security considerations are insufficient and
>> we can
>> address these concerns by expanding on them.  Currently, the DMARCbis
>> Security
>> Considerations start with:
>>
>> > 11.1.  Authentication Methods
>> >
>> >    Security considerations from the authentication methods used by DMARC
>> >    are incorporated here by reference.
>>
>> I would assess that as necessary, but not sufficient.  Here's my proposal
>> for
>> expanding 11.1:
>>
>>
>> 11.1.  Authentication Methods
>>
>>    Security considerations from the authentication methods used by DMARC
>>    are incorporated here by reference.  See [RFC6376 Section 8] and [RFC
>> 7208,
>>    Section 11].  Failures in the underlying methods can result in
>> incorrect
>>    DMARC results.  The impact of such incorrect results is that sender's
>> DMARC
>>    policy would not be applied in some cases where that is desirable.
>> Since
>>    DMARC itself associates no positive attribute with a DMARC pass
>> result, the
>>    impact of these cases is generally minor.  Any domain owner that
>> intends to
>>    make use of positive DMARC results as an overall indication of domain
>>    reputation will need to carefully assess the impacts of these risks to
>> such
>>    an assertion.
>>
>> Something like that.  I think this topic should be on the meeting agenda
>> too.
>>
>> Scott K
>>
>>
>> [1] https://lwn.net/Articles/289138/
>> [2] https://datatracker.ietf.org/doc/html/rfc7208#section-11.4
>> [3] https://www.wired.com/2012/10/dkim-vulnerability-widespread/
>> [4] https://datatracker.ietf.org/doc/html/rfc8301
>> [5] https://datatracker.ietf.org/doc/html/rfc6376#section-8.6
>> [6]
>> https://datatracker.ietf.org/doc/draft-brand-indicators-for-message-identification/
>>
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email