IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

Mark Andrews <marka@isc.org> Mon, 07 February 2022 23:57 UTC

Return-Path: <marka@isc.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D7E13A0BD6 for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 15:57:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=PZbxywSA; dkim=pass (1024-bit key) header.d=isc.org header.b=XxWC3hnP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5qdUv9m3bQ_0 for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 15:57:41 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B0543A105C for <spfbis@ietf.org>; Mon, 7 Feb 2022 15:57:37 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 9143C3AB006; Mon, 7 Feb 2022 23:57:36 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 9143C3AB006
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1644278256; bh=Li+W5Ni90WfLeQksal1slVt+rO7lfA71ZS0e2yHKnxE=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=PZbxywSAdglFEUaErs9BPEdcVgDxUrZHJcOQL+P0+2yWaBfbixNHM1oYAtEKCEb0A fKSQEKDOkULEp2VrFQhFESPolzi7itl9Z+Vlh7vAXovoBL6PDqC4O0NEOb9sgTMpmo FBWBxgic1VJPDWfqtCE9n8TnmVENC4ViIhJZCw+I=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 80743FE5AE0; Mon, 7 Feb 2022 23:57:36 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 5095BFE5AE4; Mon, 7 Feb 2022 23:57:36 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 5095BFE5AE4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1644278256; bh=1LqMpFLVCrpiWY5fEzF4iT8235PjjZOvBtjmeSJgxqg=; h=Mime-Version:From:Date:Message-Id:To; b=XxWC3hnPXv/9tgbYfZovoqi2d2MOrtlql57iqZg5UkYf5wqn6++HYsSnom9SV38At 41J87witIDAZ8a4Qs7v9byjCXS0AxYkHZ+900JDu6fRMFpW5siG0fzC/DA2OnuTLi+ l1OLnMugvEYcAlkL9fKF2jsjnZdwOJXbdoFeQshY=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id uMHrZM1XKmTR; Mon, 7 Feb 2022 23:57:36 +0000 (UTC)
Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id A161FFE5AE0; Mon, 7 Feb 2022 23:57:35 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <8d7a6274-8546-3145-17e3-c20c29d6df2e@posteo.de>
Date: Tue, 08 Feb 2022 10:57:32 +1100
Cc: spfbis@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <997A20D6-2C1F-4EE6-89E1-F8A595446941@isc.org>
References: <20220206221619.53E4836687AF@ary.qy> <2244581.DCeBYFrMaS@localhost> <8d7a6274-8546-3145-17e3-c20c29d6df2e@posteo.de>
To: Klaus Frank <klaus.frank@posteo.de>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/3Cgp1cpXjijUnKNwByUEE3ayapU>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 23:57:46 -0000


> On 8 Feb 2022, at 02:19, Klaus Frank <klaus.frank@posteo.de> wrote:
> 
> On 2022-02-07 15:28, Scott Kitterman wrote:
>> On Sunday, February 6, 2022 5:16:18 PM EST John Levine wrote:
>>> It appears that Scott Kitterman  <spf2@kitterman.com> said:
>>>> It looks like situations like this one were contemplated by the RFC 6147
>>>> 
>>>> authors:
>>>>> 6.  Deployment Notes
>>>>> 
>>>>>    While DNS64 is intended to be part of a strategy for aiding IPv6
>>>>>    deployment in an internetworking environment with some IPv4-only and
>>>>>    IPv6-only networks, it is important to realize that it is
>>>>>    incompatible with some things that may be deployed in an IPv4-only or
>>>>>    dual-stack context.
>>>> On the SPF side of the discussion, I think it would, at least in theory, be
>>>> feasible to interpret an ip4: mechanism as <prefix> + <address> if the
>>>> connection is IPv6, but I don't see how a receiving SPF processor could
>>>> know what the prefix is.  As I read RFC 6147 Section 5.2, it could be
>>>> anything.
>>> See RFCs 7050 and 8880 for how you find the prefix(es).
>>> 
>>> That seems like a more reasonable way to go, patch the SPF library so it
>>> can use the NAT's Pref64 to fudge the interpretation of ip4 and ptr.
>>> 
>>> It looks like you could automate the entire thing -- when the library starts
>>> up, do an AAAA query on ipv4only.arpa, and if you get plausible answers,
>>> you know you're behind NAT64 and reinterpret ip4 and ptr terms
>>> appropriately.
>> Thanks.
>> 
>> Reading RFC 7050, it looks like ipv4only.arpa can return more than one name.
>> That would seem to be a complication if I'm reading it correctly.
>> 
>> As a practical matter, it probably doesn't matter, but RFC 7050 doesn't update
>> RFC 6147, so in theory other prefix determination methods could be used.
>> 
>> I guess the ::ffff:0:0/96 (IPv4-mapped Address) prefix should be considered
>> similarly.
> Oh yes, for sure good that you remind me of this one. We had one mailserver application (proprietary) that once we changed the binding from "0.0.0.0:25" to "[::]:25" on a linux system got everything as ::ffff:0:0/96 and SPF validation also failed. But I'm not sure if that was an implementation simplification on their end or a OS dependent behavior of when binding a socket... The workaround we got was to "just deploy another VM for IPv6 and put them behind the same public DNS name. One for IPv4 and another one for the IPv6"

One could have just set IPV6_V6ONLY=1 at the system level (sysctl net.ipv6.bindv6only=1) or prior to bind(2)
on the individual sockets if you don’t want mapped connections.  IPV6_V6ONLY is described in RFC 2535, Basic
Socket Interface Extensions for IPv6 (February 2003) and is in also in POSIX as of 2008.  Alternatively SPF
libraries could just learn about mapped connections and apply IPv4 rules against them.

>> Is there enough here that it would be worth an Applicability Statement?
>> 
>> Scott K
>> 
>> 
>> 
>> _______________________________________________
>> spfbis mailing list
>> spfbis@ietf.org
>> https://www.ietf.org/mailman/listinfo/spfbis
> _______________________________________________
> spfbis mailing list
> spfbis@ietf.org
> https://www.ietf.org/mailman/listinfo/spfbis

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email