IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

Seth Blank <seth@sethblank.com> Sun, 29 July 2018 01:12 UTC

Return-Path: <seth@sethblank.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8FF1131185 for <dmarc@ietfa.amsl.com>; Sat, 28 Jul 2018 18:12:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEtoBm6Dyh2J for <dmarc@ietfa.amsl.com>; Sat, 28 Jul 2018 18:12:45 -0700 (PDT)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8F60130EA7 for <dmarc@ietf.org>; Sat, 28 Jul 2018 18:12:44 -0700 (PDT)
Received: by mail-oi0-x22f.google.com with SMTP id k12-v6so15453136oiw.8 for <dmarc@ietf.org>; Sat, 28 Jul 2018 18:12:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=032SZd9s02ZQCUQf8tx8FABAsSIRv9YP0nKh9DIwGUE=; b=xBN3zsOiiaOsHXFmdMSDiABgpaQQ1PhcwHWc7ntqOy3wrEgjAqQA50P8BnyP3a2Ams uNzCxphTXjBdwbt4gW4rpq1nXDG8P2hBr/XA1p8ejmCoUzXDGsyk22GiLxy8fF+MPFMa U+9IK8n1atioTYMYLtyarB2173R5Ow33ZU30PaXcKMHhJOlH0frbUNrhodrQukjVeyPx Gn42ZVPESQhDkZM4JXhNAZsyzNoykG/QjWcg8hyyThk63ifKHsgkXh/bxlEPD16uHxBt w3TXATGiHRXz+7sF+g5rCSve3mkKbDYbcUZHIFBqsMVX8H6l71vEP0FEaZ5VRbXYbavl nXNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=032SZd9s02ZQCUQf8tx8FABAsSIRv9YP0nKh9DIwGUE=; b=PeEZNN2xLb5ilFMSoatExNmOGhoO1OhzzbQGsinHLuu13XEVycAAUim9S835iB8CtJ R1AscLYSiPiSr40gHo39tcNluAb4afK5bz8ujV51cMAr9NjQMvBWTWK4u0eF/cCklsRn 4lCI/rYBDBSKJKLBZt+Zc4OsKoHZSakLH5je7fHmQ6Ea7Mbn6yTl6LTc5ciodavRtiUY qNi4QtmG9Rfuk1h7URejoZjo6IjyMV08g4RBwZmiqLa/AxN6fSJrqPzC2XGq7YIq6ZcF qV8IUW3VfaFFWg/vRbsK0hGbZj1PF1y/IF+eVd3RfLUYluw+KnNINak0CrvC0jitheQD elxQ==
X-Gm-Message-State: AOUpUlGGeMZIKsmrGLY7n72sM08TRpuA//SGR/vIQllE9lLEZTLGk1tk +2uhfuaGn+a+MkFptqfQDsAlrI0CTQMx5qsV7JsuDN5TXfM=
X-Google-Smtp-Source: AAOMgpeUfEVBvbkl3r0+JTBs5424274q4tCEBUj+TGWGKJ3vb7EzDJA47vT9QU7Uja68tyRlzVb+z2Ud2tGUDZ+mmCI=
X-Received: by 2002:aca:cf0e:: with SMTP id f14-v6mr13343266oig.356.1532826763683; Sat, 28 Jul 2018 18:12:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:2646:0:0:0:0:0 with HTTP; Sat, 28 Jul 2018 18:12:23 -0700 (PDT)
In-Reply-To: <1532745551.208119.1455489824.75DFC005@webmail.messagingengine.com>
References: <CAD2i3WMMJPaZYonS-qcz8pwOKYmS2Xe+8WBZPuAqjiGoYePzSg@mail.gmail.com> <CAL0qLwapyX3U=0OqQWzx+dDELn3W0v=N_HyzDnSw49oWQ+SE5Q@mail.gmail.com> <CAD2i3WN90JSS8pzgRxrbokuKmhZaLUrimYRWqkZwzVDBxTczng@mail.gmail.com> <CAL0qLwZ_uPh5iPkS7MKzDp3x=dAgn-hmsEunccDc3Hj2bsphpQ@mail.gmail.com> <CAD2i3WM99Yy6Y=BQE4dC=Ffm7J32My160Xdm2oxXC50Au9tXoA@mail.gmail.com> <1532745551.208119.1455489824.75DFC005@webmail.messagingengine.com>
From: Seth Blank <seth@sethblank.com>
Date: Sat, 28 Jul 2018 18:12:23 -0700
Message-ID: <CAD2i3WOHjUwi3J=xsLca5_4DJL=S+jaReGRC1fBQH5wsfWxOVg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c080610572190a6a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Wey1yWTJOcvyh1f7Nmb51_0-qgc>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jul 2018 01:12:48 -0000

On Fri, Jul 27, 2018 at 7:39 PM, Bron Gondwana <brong@fastmailteam.com>
wrote:

> The only thing your ARC Seal will validate is your own
> ARC-Authentication-Results header - which isn't nothing (it could contain
> the IP address that you received this message from) - but if SPF / DKIM and
> ARC are all fails in your Authentication-Results, any earlier ARC and DKIM
> headers have no provable causal relationship with the rest of the message
> you received.
>

A structurally valid ARC Chain (all ARC Sets have one each of the ARC
header fields, the ARC Sets instance numbers are 1..N inclusive, and each
AS covers all ARC Set header fields on the message 1..its own instance
number) where all AS's validate says a very specific thing about that ARC
Chain: that no one has modified *THE ARC HEADER FIELDS* that are part of
the Chain.

This also means that from the first ARC Set at i=1 through the last passing
ARC Set, you have a guaranteed list of all domains who have modified the
message (yes, some may have Sealed without modifying) and the corresponding
ARC-Authentication-Results each saw, which you know have not been modified
by someone other than the ADMD which added them.

This does not stop someone from taking an intact and passing ARC Chain and
adding their own garbage on top. Fundamentally, this is how mail work; mail
is spooled and replayed all the time by design. This is an issue with DKIM,
and covered in 6376 sections 5.4.1 and 8.6. Since ARC inherits heavily from
DKIM, it also inherits these specific replay issues. It was determined that
fixing the replay issue was out of scope, except for providing guidance on
how to contain impact. Sections 9.4 and 9.5 talk directly to these issues:

https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-16#section-9.4

https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-16#section-9.5

Frankly, your concern speaks directly to the issue I raised initially. If
cv=fail only signs itself, then there is absolutely no way to localize the
issue and determine which Sealer decided to run amok with the Chain. If you
see a cv=fail, you have to throw out all the data. At least when Sealing
cv=fail, if you Seal greedily, there is in intact chain of Seals which can
be used to make important determinations as to the veracity of the header
field data and may be able to use that to determine where things may have
fallen apart or been replayed.

v2.23.0 | Report a Bug | By Email