IETF Logo Mail Archive

Suggestion: can we test DEMARC deployment with a mailing list?

"Fred Baker (fred)" <fred@cisco.com> Fri, 02 May 2014 18:06 UTC

Return-Path: <fred@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A03741A6FBE; Fri, 2 May 2014 11:06:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -115.152
X-Spam-Level:
X-Spam-Status: No, score=-115.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QMjTp-fh_Ldw; Fri, 2 May 2014 11:06:04 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id 0F8511A6FA9; Fri, 2 May 2014 11:06:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6751; q=dns/txt; s=iport; t=1399053962; x=1400263562; h=from:to:cc:subject:date:message-id:mime-version; bh=sdt4T73+bjbbGvHcnZ52jV/+I3faOVDwFZxEHO42fNA=; b=XhVMIzol0jgzff2o+h+goOR3TBIzO79lNpvLkbDMjTyOFWwAO8gxd+hP AeZekatvVcCYOQl+UhRITWsDhwlyoatAF9SqiFznmnVAv1EfWMqESDAAV MEi0N2M/nzIHciXu7sId0EDtJhq3mlzIAi6/XX6MW1kFHtoNphmY3BoB5 E=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgcFAFbeY1OtJV2Y/2dsb2JhbABagwaBJ8RMgREWdIIlAQEBAwFuCwUNAYEAJwQOBQ4IiCMIyj8XjgEBAU+DK4EVBJEegTmGWZJvgzSBbwcXBhw
X-IronPort-AV: E=Sophos;i="4.97,973,1389744000"; d="asc'?eml'208?scan'208,208";a="322031666"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-3.cisco.com with ESMTP; 02 May 2014 18:05:38 +0000
Received: from xhc-rcd-x09.cisco.com (xhc-rcd-x09.cisco.com [173.37.183.83]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s42I5cm2030832 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 2 May 2014 18:05:38 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.100]) by xhc-rcd-x09.cisco.com ([173.37.183.83]) with mapi id 14.03.0123.003; Fri, 2 May 2014 13:05:38 -0500
From: "Fred Baker (fred)" <fred@cisco.com>
To: IETF <ietf@ietf.org>
Subject: Suggestion: can we test DEMARC deployment with a mailing list?
Thread-Topic: Suggestion: can we test DEMARC deployment with a mailing list?
Thread-Index: AQHPZjEeOHoDyq9mZ0azxe/jQ5CmNA==
Date: Fri, 02 May 2014 18:05:37 +0000
Message-ID: <28671EE8-A8B9-40D1-9268-527A8FFC34AD@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.19.64.118]
Content-Type: multipart/signed; boundary="Apple-Mail=_14DE2FCF-48B6-4191-9AE8-4DE4DDCAA026"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/6qFO-9CMGJQQNgJbeR6rp_5p6cw
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 May 2014 18:06:05 -0000

We have been having a fairly extended discussion, much of which seems hypothetical - “I don’t like DEMARC because I am worried that ... with mailing lists”. I wonder if we could take a moment to try it and see what happens?

As an example of the case that comes to mind, see attached. It is a message sent to v6ops@ietf.org yesterday. The sender signed it using DKIM, the IETF changed the message (added some trailing text) before forwarding it, the receiver (e.g., Cisco IT) attempted to validate the DKIM signature - and failed.

It seems to me that we should not approve a procedure that has that effect, at least without some guidance for mail relay administrators. I could imagine two forms of guidance: “obey the end-to-end principle; don’t change the message the originator sent”, or “if you change a signed message, first validate the message you received and discard if that fails, change it, and then sign it yourself, so that a receiver can see who changed it and validate the outcome”.

Could we actually try such guidance in a sandbox, and document appropriate procedures for mailing lists?
--- Begin Message --- 
> fec0::/10 was reserved way back in rfc 1884
> 
> 3879 and 4193 are contemporaneous activities. meany people on this list
> were present for them.
> 
> The fact that we did a bad job at something 20 years ago doesn't mean
> the problem that we were attempting to address went away.

I agree… People wanting to do NAT rather than learn how to do things better without it is an education problem which continues to persist to this day.

Owen
--- End Message --- 


      
    

    

      
        
      
    


 




            


        



      
 


      

        
      

          
    
 

    


 

    



    






    

    


    
  
    
  

      
v2.23.0 | Report a Bug | By Email