Re: [secdir] [spfbis] draft-ietf-spfbis-4408bis-14
Douglas Otis <doug.mtview@gmail.com> Fri, 24 May 2013 21:58 UTC
Return-Path: <doug.mtview@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D40211E8135; Fri, 24 May 2013 14:58:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wO31-p-VRbmZ; Fri, 24 May 2013 14:58:49 -0700 (PDT)
Received: from mail-vb0-x232.google.com (mail-vb0-x232.google.com [IPv6:2607:f8b0:400c:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id DF52111E8129; Fri, 24 May 2013 14:58:48 -0700 (PDT)
Received: by mail-vb0-f50.google.com with SMTP id w16so3444618vbb.37 for <multiple recipients>; Fri, 24 May 2013 14:58:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=3ZEWRgm+QVx2MsfeAOqSpzIxGr+1z0MsN3NaUd0obfA=; b=OKCvvhdjFdlhspwaybk+nabfUMjruiOLs9ZrChrE8lmZxB6F7hFD93hQPoStaYLD/P KFhNxEqvwSy8bJ9MOffTqnKud38OxWAREt/4X9Fb1NOrAChwxXsZvxIvslz1Ae+oCztt zbtavbXWQw76JGNidZSHe3pZLohO1I2fQ67AxKF67vhIIyGwKZEAPpciLlLFAuERzCnU 5uLzPz8qSItpFpOFndDy35x3C9z82ZVxX+C4p/KzN/0n3QIrFtW6ed71sWsYUWTbft8V 7q/5WQZA3BjbHf5UvJzO+z9qzcjldci57VLd3wMGWVKrNo98iQr+kZyo28UNgZy4HkG4 763g==
X-Received: by 10.52.38.161 with SMTP id h1mr8396588vdk.30.1369432728283; Fri, 24 May 2013 14:58:48 -0700 (PDT)
Received: from [192.168.0.99] (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id s14sm10495374vdg.6.2013.05.24.14.58.46 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 24 May 2013 14:58:47 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <6.2.5.6.2.20130523120130.0de4f6e0@elandnews.com>
Date: Fri, 24 May 2013 14:58:13 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <A14B4025-87EB-48BD-9373-8A900F74FF68@gmail.com>
References: <CAMm+LwjoH77H9cRQseQF09rDLwjtViZW_tGp71v0-WaZujoYtA@mail.gmail.com> <6.2.5.6.2.20130523095247.0dc5a520@elandnews.com> <7E10E46C-D524-41F2-9546-09DC7E3426A1@gmail.com> <6.2.5.6.2.20130523120130.0de4f6e0@elandnews.com>
To: S Moonesamy <sm+ietf@elandsys.com>
X-Mailer: Apple Mail (2.1503)
Cc: spfbis@ietf.org, draft-ietf-spfbis-4408bis.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] [spfbis] draft-ietf-spfbis-4408bis-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 May 2013 21:58:51 -0000
On May 23, 2013, at 12:14 PM, S Moonesamy <sm+ietf@elandsys.com> wrote: > Hi Doug, > At 11:58 23-05-2013, Douglas Otis wrote: >> Greater clarity would have been achieved by separating transactions involving the SPF checkhost process (spfch-transactions) which may then generate some number of recursive dns server transactions (rdns-transactions). >> >> A transaction made at the spfch level will result in some number of transactions at the rdns level, which could then be described as representing some number of separate DNS queries. >> >> Confusion has been caused by conflating checkhost and recursive DNS transactions with that of non-recursive DNS which may involve dozens of unique queries to resolve any particular resource. This is bad and is a continuing source of confusion. > > What I noted among other things in the review was "the only quibble" and "it is reasonably clear". > >> A practical means to simplify SPF's impact on a receiver's DNS is to first ignore SPF records containing macro expressions. This happens and this may explain the nearly 100% lack of macro use. They then limit the number of SPF resource records and MX mechanisms and ignore the PTR mechanism. Appreciate what receivers consider a reasonable demand on their resources that offers cache-able results. > > I don't see any relation between the security directorate review ( http://www.ietf.org/mail-archive/web/spfbis/current/msg03679.html ) to the above (quoted paragraph). If the security directorate reviewer is of the opinion that it is related to his review I will ask the SPFBIS to comment about the matter. Dear SM, SPFbis terminology conflates similar terms used in both recursive DNS and the pseudo check_host service indirectly defined in the SPFbis document. In addition, there appears to be a significant departure in processing of the EHLO domain in lieu of the RFC5321.MAILFROM. SPFbis section 2.1states "If a conclusive determination about the message can be made based on a check of HELO, then the use of DNS resources to process the typically more complex MAIL FROM can be avoided." This approach is at odds with a process proposed by draft-kucherawy-dmarc-base, section 4.3 "For example, [DKIM] authenticates the domain that affixed a signature to the message, while [SPF] authenticates either the domain that appears in then RFC5321.MailFrom portion of [SMTP] or the RFC5321.EHLO/HELO domain if the RFC5321.MailFrom is null (in the case of Delivery Status Notifications). Draft-kucherawy-dmarc-base already requires reprocessing message header stacks to exclude ONLY repeated From header fields. It also suggests EHLO will be ignored and the RFC5321.MailFrom will still need to be processed. This potentially doubles the load on DNS and offers poor protocol layering. If directed toward synthetic domains used to replace web cookies, the application of the new DNS Response Rate Limiting may prove problematic, in addition to an attack easily occurring from a myriad clients easily beyond prefix limits used to associate responses. Although related to offering security, it seems highly improbable SPF can safely make use of DNSsec. It should also be noted that RFC6531 introduces character sets not handled by SPFbis since this also includes local-part components which may invoke handling errors since this introduces data not converted by RFC5890. It should also be noted that use of macros still allows left-hand labels to take the place of randomized local-parts to leverage cached records while inducing different queries. The only way SPFbis can be made reasonably safe would be to disable implementation of the macro functions by the receiver. Since these macros are rarely used, this change would not impact the exchange of email. Even now, senders making use of macros will see a greater impact with their SPF records being ignored as things currently stand. Regards, Douglas Otis
- [secdir] draft-ietf-spfbis-4408bis-14 Phillip Hallam-Baker
- Re: [secdir] draft-ietf-spfbis-4408bis-14 S Moonesamy
- Re: [secdir] draft-ietf-spfbis-4408bis-14 S Moonesamy
- Re: [secdir] [spfbis] draft-ietf-spfbis-4408bis-14 S Moonesamy
- Re: [secdir] [spfbis] draft-ietf-spfbis-4408bis-14 Douglas Otis
- Re: [secdir] [spfbis] draft-ietf-spfbis-4408bis-14 Douglas Otis
- Re: [secdir] [spfbis] draft-ietf-spfbis-4408bis-14 Phillip Hallam-Baker