IETF Logo Mail Archive

Re: [dmarc-ietf] Additions to draft - Security Considerations

Douglas Foster <dougfoster.emailstandards@gmail.com> Mon, 25 April 2022 21:11 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EAF0C3A4B61 for <dmarc@ietfa.amsl.com>; Mon, 25 Apr 2022 14:11:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.197
X-Spam-Level:
X-Spam-Status: No, score=-5.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pSYW_Z4kujM2 for <dmarc@ietfa.amsl.com>; Mon, 25 Apr 2022 14:10:58 -0700 (PDT)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF238C3A3D4A for <dmarc@ietf.org>; Mon, 25 Apr 2022 14:10:58 -0700 (PDT)
Received: by mail-oi1-x235.google.com with SMTP id 12so18541414oix.12 for <dmarc@ietf.org>; Mon, 25 Apr 2022 14:10:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q71EwD+cu3asnNyphESfPGhkGNIx1KY4OG8lF+YH15U=; b=mcREOi5fSeNtnBVOvS6JG1mwI2NcWBh31uDg3mikbsZ4TjIMYTyWBWoNNXtu7wvu++ SeFhtXUZffy/5069VUPswvGfPHCsfDFuUWsGDaudUQQEeewVvngtYNrb5s8y1cosAxBQ d0JZBCl/eDeEZKJei4UCVv1IDAUwEOAGtDlnflmUXywT7yFSx+GYH1gGMoEzwq+NqRVr PJyIO0ErM7ubw+XsZpCnoWS07p16wYmPN1swAK10KSk29QJd6Buhn2UzykgU5KF5XmPP R7iyWbsqWGo8K6iRGphUXBHHMEWgXsvhEp4ywVLzNgP/kGmHTyktZ9vxB4rNKGw03z8T Q3pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q71EwD+cu3asnNyphESfPGhkGNIx1KY4OG8lF+YH15U=; b=CFYJO3B0zgmtXYQPZF8+Zn2cx+Ndni1v3ZrpL4MKcj/m3+QoAkx91/kEw8DCisgdyE lnwmmDIcjCkQ3ZkNYBX5mf7PGStYC5dWcy8fuIGDGLPXE5KWIWQ1Z9BbI4Pj2wpjhB5Z vgjdK6zeWWGtLGYQHDMdzSVht31px0StbqIxpSsA2eUI6EYJTZr4fhNUrLTjkzmgapdZ 5M95cJzhWeFSqThBlA98dCqNL0/ASG5IpU1XDyEqTwgQRc6VC47EASH3LxtiNb5HyuI6 u/qCr1S1tt7in3QQEHaaHhov2M+7puPSY14T3ur2k0RrUiJ2vOG+K0kLr/1KUeFZLX3+ RYtg==
X-Gm-Message-State: AOAM530IP8tBcSh/u4TWZCE9SItJpqklHRepCttFTR4QRllVuJ1igmyL DxEks+UPBllvTrZeISG8HHlG4sTddGqS8XvP6KSusFtf
X-Google-Smtp-Source: ABdhPJzO60ukT13loJbXMwnkuDjDw20hjg0e4xRoS3IceaBgoghpPumbgMzO8BeHAxuQwYhkenI8ptk1WM6RcqfygQM=
X-Received: by 2002:a54:4594:0:b0:322:7c38:bd93 with SMTP id z20-20020a544594000000b003227c38bd93mr13545141oib.58.1650921057612; Mon, 25 Apr 2022 14:10:57 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48Zfz5MWDuQa1DJQE_YK9gAUL4P-se4CeGAGYCf+c6D0ysaA@mail.gmail.com> <2934216.d6BrxOLGqM@zini-1880>
In-Reply-To: <2934216.d6BrxOLGqM@zini-1880>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Mon, 25 Apr 2022 17:10:47 -0400
Message-ID: <CAH48ZfxeZPgvFh4ifeuqdtk8KxkA=tpjAX4Hi0vGsQzh1TYqsA@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000030f6b305dd81032a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/zkMZYPilws9UDXkCSwpWeLiXMTs>
Subject: Re: [dmarc-ietf] Additions to draft - Security Considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 21:11:02 -0000

I am pretty content with your text.

I am still see a security vulnerability without something like
the OrgsBelow token.  DMARC is all about verified data.   Since the tree
walk can be compromised by omitting psd=n, the selected organization domain
needs a verification method.   I don't understand why you think it is
already handled by the existing text.


On Sun, Apr 24, 2022 at 11:57 PM Scott Kitterman <sklist@kitterman.com>
wrote:

> On Sunday, April 24, 2022 9:16:04 PM EDT Douglas Foster wrote:
> > I have attempted to capture the security-related content of recent
> > discussions:
> >
> > Security Considerations
> >
> > Determination of the Organizational Domain
> >
> > DMARC evaluation is highly sensitive to errors in the determination of
> the
> > organizational domain, as the organizational domain is used for the
> default
> > policy (when the RFC5322.From domain does not have a published policy)
> and
> > for determining relaxed alignment.
> >
> > If an incorrectly selected organizational domain is actually a parent of
> > the correct organizational domain, then relaxed alignment will allow a
> > malicious sender to obtain DMARC PASS while impersonating either the
> parent
> > domain or sibling domains.
> >
> > If an incorrectly selected organizational domain is actually a child of
> the
> > correct organizational domain, then relaxed alignment will produce an
> > incorrect DMARC FAIL when the message is actually authorized by either
> the
> > correct organizational domain or siblings of the incorrectly chosen
> domain.
> >
> > When the RFC5322.From domain does not have a policy record, the
> > organizational domain policy is needed to demonstrate DMARC participation
> > and to provide the default policy.   In this case, when an incorrect
> > organizational domain is selected, and it does not contain a DMARC
> record,
> > then the domain will be treated as not participating in DMARC and the
> > domain owner will not receive reports.   If the incorrectly selected
> domain
> > does have a DMARC policy, the applied policy may be different from the
> > domain owner’s intended policy, and reporting will go to whatever
> > destination is specified by that policy.
> >
> > A DNS path may contain a private registration, where a PSO-registered
> > domain owner makes subtrees of his domain available to independent
> > organizations.   This behavior complicates DMARC organizational
> > determination.    Clients of the private registration will have two
> > organizational domains in its DNS tree, one at the boundary between the
> > private registration client and its private registrar, and another
> between
> > the private registrar and its PSO.  If a private registry is unknown or
> > undetected during organizational domain selection, then the registrar
> > organizational domain may be incorrectly selected as the client’s
> > organizational domain, allowing the client to obtain DMARC PASS while
> > impersonating the parent domain or sibling domains.
> >
> > Reliance on an externally-authored public suffix list, as specified in
> > RFC7489, creates stability problems for domain owners and evaluators.
> An
> > organization may have their DMARC configuration fully deployed and
> > successfully tested, then suddenly develop unexplained and difficult to
> > detect problems if the PSL used by evaluators adds an entry which
> fragments
> > the domain’s intended organizational boundaries for email.  Even if the
> > domain owner manages to detect the problem, getting it corrected may be
> > difficult or impossible.   Since every evaluator operates on an
> independent
> > copy of one or another PSL list, updated at intervals determined by the
> > evaluator, the domain owner has no certainty about when or if a
> correction
> > will be replicated to all evaluators.
> >
> > Domain owners can minimize the need for determination of an
> organizational
> > domain by publishing a DMARC record for each RFC5322.From domain, and
> > applying a DKIM signature which provides strict alignment.  When this
> > practice is followed, the organizational domain is only referenced when a
> > non-mail subdomain is impersonated by a malicious actor.   This
> > configuration allows the SP clause on all policies to be confidently set
> to
> > REJECT.
>
> I think you have a reasonable issue in here, but this is not all security
> considerations.  I also think the point that it's independent of how the
> organizational domain is determined is appropriate.
>
> My assessment is that this is an issue that it is appropriate to document
> in
> this text:
>
> > > If an incorrectly selected organizational domain is actually a parent
> of
> > > the correct organizational domain, then relaxed alignment will allow a
> > > malicious sender to obtain DMARC PASS while impersonating either the
> > > parent domain or sibling domains.
>
> I think it needs some work though and can be substantially shorter.  The
> same
> potential exists for both public and private registrations.
>
> Org domain too low in the tree causing an incorrect rejection isn't a
> security
> issue though, that's a protocol problem.
>
> How about something like this:
>
> 9.7 Determination of the Organizational Domain For Relaxed Alignment
>
> DMARC evaluation for relaxed alignment is highly sensitive to errors in
> the
> determination of the organizational domain if the RFC5322.From domain does
> not
> have a published policy.  If an incorrectly selected organizational domain
> is
> a parent of the correct organizational domain, then relaxed alignment
> could
> potentially allow a malicious sender to obtain DMARC PASS.  This potential
> exists for both the legacy [RFC 7489] and current [Section 4.8] methods
> for
> determining the organizational domain.
>
> This issue is completely avoided by use of strict alignment and publishing
> DMARC records for all domains/sub-domains used as RFC5322.From domain in
> an
> organization's email.
>
> For cases where strict alignment is not appropriate, this issue can be
> mitigated by periodically checking the DMARC records, if any, of PSDs
> above
> the organization's domains in the DNS tree and (for legacy [RFC 7489]
> checking
> that appropriate PSL entries remain present).  If a PSD domain publishes a
> DMARC record without the appropriate psd=y tag, organizational domain
> owners
> can add psd=n to their organizational domain's DMARC record so that the
> PSD
> record will not be incorrectly evaluated to be the organizational domain.
>
>
> I think that captures in a more compact form the issue you are (I think
> rightly) concerned about as well as appropriate advice to protocol users
> on
> how to avoid or mitigate the issue.
>
> Scott K
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email