Re: [dmarc-ietf] Additions to draft - Security Considerations
Douglas Foster <dougfoster.emailstandards@gmail.com> Mon, 25 April 2022 21:11 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EAF0C3A4B61 for <dmarc@ietfa.amsl.com>; Mon, 25 Apr 2022 14:11:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.197
X-Spam-Level:
X-Spam-Status: No, score=-5.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pSYW_Z4kujM2 for <dmarc@ietfa.amsl.com>; Mon, 25 Apr 2022 14:10:58 -0700 (PDT)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF238C3A3D4A for <dmarc@ietf.org>; Mon, 25 Apr 2022 14:10:58 -0700 (PDT)
Received: by mail-oi1-x235.google.com with SMTP id 12so18541414oix.12 for <dmarc@ietf.org>; Mon, 25 Apr 2022 14:10:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q71EwD+cu3asnNyphESfPGhkGNIx1KY4OG8lF+YH15U=; b=mcREOi5fSeNtnBVOvS6JG1mwI2NcWBh31uDg3mikbsZ4TjIMYTyWBWoNNXtu7wvu++ SeFhtXUZffy/5069VUPswvGfPHCsfDFuUWsGDaudUQQEeewVvngtYNrb5s8y1cosAxBQ d0JZBCl/eDeEZKJei4UCVv1IDAUwEOAGtDlnflmUXywT7yFSx+GYH1gGMoEzwq+NqRVr PJyIO0ErM7ubw+XsZpCnoWS07p16wYmPN1swAK10KSk29QJd6Buhn2UzykgU5KF5XmPP R7iyWbsqWGo8K6iRGphUXBHHMEWgXsvhEp4ywVLzNgP/kGmHTyktZ9vxB4rNKGw03z8T Q3pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q71EwD+cu3asnNyphESfPGhkGNIx1KY4OG8lF+YH15U=; b=CFYJO3B0zgmtXYQPZF8+Zn2cx+Ndni1v3ZrpL4MKcj/m3+QoAkx91/kEw8DCisgdyE lnwmmDIcjCkQ3ZkNYBX5mf7PGStYC5dWcy8fuIGDGLPXE5KWIWQ1Z9BbI4Pj2wpjhB5Z vgjdK6zeWWGtLGYQHDMdzSVht31px0StbqIxpSsA2eUI6EYJTZr4fhNUrLTjkzmgapdZ 5M95cJzhWeFSqThBlA98dCqNL0/ASG5IpU1XDyEqTwgQRc6VC47EASH3LxtiNb5HyuI6 u/qCr1S1tt7in3QQEHaaHhov2M+7puPSY14T3ur2k0RrUiJ2vOG+K0kLr/1KUeFZLX3+ RYtg==
X-Gm-Message-State: AOAM530IP8tBcSh/u4TWZCE9SItJpqklHRepCttFTR4QRllVuJ1igmyL DxEks+UPBllvTrZeISG8HHlG4sTddGqS8XvP6KSusFtf
X-Google-Smtp-Source: ABdhPJzO60ukT13loJbXMwnkuDjDw20hjg0e4xRoS3IceaBgoghpPumbgMzO8BeHAxuQwYhkenI8ptk1WM6RcqfygQM=
X-Received: by 2002:a54:4594:0:b0:322:7c38:bd93 with SMTP id z20-20020a544594000000b003227c38bd93mr13545141oib.58.1650921057612; Mon, 25 Apr 2022 14:10:57 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48Zfz5MWDuQa1DJQE_YK9gAUL4P-se4CeGAGYCf+c6D0ysaA@mail.gmail.com> <2934216.d6BrxOLGqM@zini-1880>
In-Reply-To: <2934216.d6BrxOLGqM@zini-1880>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Mon, 25 Apr 2022 17:10:47 -0400
Message-ID: <CAH48ZfxeZPgvFh4ifeuqdtk8KxkA=tpjAX4Hi0vGsQzh1TYqsA@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000030f6b305dd81032a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/zkMZYPilws9UDXkCSwpWeLiXMTs>
Subject: Re: [dmarc-ietf] Additions to draft - Security Considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 21:11:02 -0000
I am pretty content with your text. I am still see a security vulnerability without something like the OrgsBelow token. DMARC is all about verified data. Since the tree walk can be compromised by omitting psd=n, the selected organization domain needs a verification method. I don't understand why you think it is already handled by the existing text. On Sun, Apr 24, 2022 at 11:57 PM Scott Kitterman <sklist@kitterman.com> wrote: > On Sunday, April 24, 2022 9:16:04 PM EDT Douglas Foster wrote: > > I have attempted to capture the security-related content of recent > > discussions: > > > > Security Considerations > > > > Determination of the Organizational Domain > > > > DMARC evaluation is highly sensitive to errors in the determination of > the > > organizational domain, as the organizational domain is used for the > default > > policy (when the RFC5322.From domain does not have a published policy) > and > > for determining relaxed alignment. > > > > If an incorrectly selected organizational domain is actually a parent of > > the correct organizational domain, then relaxed alignment will allow a > > malicious sender to obtain DMARC PASS while impersonating either the > parent > > domain or sibling domains. > > > > If an incorrectly selected organizational domain is actually a child of > the > > correct organizational domain, then relaxed alignment will produce an > > incorrect DMARC FAIL when the message is actually authorized by either > the > > correct organizational domain or siblings of the incorrectly chosen > domain. > > > > When the RFC5322.From domain does not have a policy record, the > > organizational domain policy is needed to demonstrate DMARC participation > > and to provide the default policy. In this case, when an incorrect > > organizational domain is selected, and it does not contain a DMARC > record, > > then the domain will be treated as not participating in DMARC and the > > domain owner will not receive reports. If the incorrectly selected > domain > > does have a DMARC policy, the applied policy may be different from the > > domain owner’s intended policy, and reporting will go to whatever > > destination is specified by that policy. > > > > A DNS path may contain a private registration, where a PSO-registered > > domain owner makes subtrees of his domain available to independent > > organizations. This behavior complicates DMARC organizational > > determination. Clients of the private registration will have two > > organizational domains in its DNS tree, one at the boundary between the > > private registration client and its private registrar, and another > between > > the private registrar and its PSO. If a private registry is unknown or > > undetected during organizational domain selection, then the registrar > > organizational domain may be incorrectly selected as the client’s > > organizational domain, allowing the client to obtain DMARC PASS while > > impersonating the parent domain or sibling domains. > > > > Reliance on an externally-authored public suffix list, as specified in > > RFC7489, creates stability problems for domain owners and evaluators. > An > > organization may have their DMARC configuration fully deployed and > > successfully tested, then suddenly develop unexplained and difficult to > > detect problems if the PSL used by evaluators adds an entry which > fragments > > the domain’s intended organizational boundaries for email. Even if the > > domain owner manages to detect the problem, getting it corrected may be > > difficult or impossible. Since every evaluator operates on an > independent > > copy of one or another PSL list, updated at intervals determined by the > > evaluator, the domain owner has no certainty about when or if a > correction > > will be replicated to all evaluators. > > > > Domain owners can minimize the need for determination of an > organizational > > domain by publishing a DMARC record for each RFC5322.From domain, and > > applying a DKIM signature which provides strict alignment. When this > > practice is followed, the organizational domain is only referenced when a > > non-mail subdomain is impersonated by a malicious actor. This > > configuration allows the SP clause on all policies to be confidently set > to > > REJECT. > > I think you have a reasonable issue in here, but this is not all security > considerations. I also think the point that it's independent of how the > organizational domain is determined is appropriate. > > My assessment is that this is an issue that it is appropriate to document > in > this text: > > > > If an incorrectly selected organizational domain is actually a parent > of > > > the correct organizational domain, then relaxed alignment will allow a > > > malicious sender to obtain DMARC PASS while impersonating either the > > > parent domain or sibling domains. > > I think it needs some work though and can be substantially shorter. The > same > potential exists for both public and private registrations. > > Org domain too low in the tree causing an incorrect rejection isn't a > security > issue though, that's a protocol problem. > > How about something like this: > > 9.7 Determination of the Organizational Domain For Relaxed Alignment > > DMARC evaluation for relaxed alignment is highly sensitive to errors in > the > determination of the organizational domain if the RFC5322.From domain does > not > have a published policy. If an incorrectly selected organizational domain > is > a parent of the correct organizational domain, then relaxed alignment > could > potentially allow a malicious sender to obtain DMARC PASS. This potential > exists for both the legacy [RFC 7489] and current [Section 4.8] methods > for > determining the organizational domain. > > This issue is completely avoided by use of strict alignment and publishing > DMARC records for all domains/sub-domains used as RFC5322.From domain in > an > organization's email. > > For cases where strict alignment is not appropriate, this issue can be > mitigated by periodically checking the DMARC records, if any, of PSDs > above > the organization's domains in the DNS tree and (for legacy [RFC 7489] > checking > that appropriate PSL entries remain present). If a PSD domain publishes a > DMARC record without the appropriate psd=y tag, organizational domain > owners > can add psd=n to their organizational domain's DMARC record so that the > PSD > record will not be incorrectly evaluated to be the organizational domain. > > > I think that captures in a more compact form the issue you are (I think > rightly) concerned about as well as appropriate advice to protocol users > on > how to avoid or mitigate the issue. > > Scott K > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- [dmarc-ietf] Additions to draft - Security Consid… Douglas Foster
- Re: [dmarc-ietf] Additions to draft - Security Co… Scott Kitterman
- Re: [dmarc-ietf] Additions to draft - Security Co… Douglas Foster
- Re: [dmarc-ietf] Additions to draft - Security Co… Scott Kitterman
- Re: [dmarc-ietf] Additions to draft - Security Co… Alessandro Vesely
- Re: [dmarc-ietf] Additions to draft - Security Co… Scott Kitterman
- Re: [dmarc-ietf] Additions to draft - Security Co… Alessandro Vesely
- Re: [dmarc-ietf] Additions to draft - Security Co… Scott Kitterman
- Re: [dmarc-ietf] Additions to draft - Security Co… Douglas Foster
- Re: [dmarc-ietf] Additions to draft - Security Co… Scott Kitterman
- Re: [dmarc-ietf] Additions to draft - Security Co… Alessandro Vesely
- Re: [dmarc-ietf] Additions to draft - Security Co… Scott Kitterman
- Re: [dmarc-ietf] Additions to draft - Security Co… Neil Anuskiewicz
- Re: [dmarc-ietf] Additions to draft - Security Co… Scott Kitterman
- Re: [dmarc-ietf] Additions to draft - Security Co… Douglas Foster