IETF Logo Mail Archive

Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14

Douglas Otis <doug.mtview@gmail.com> Wed, 29 May 2013 04:46 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C430621F85C0 for <spfbis@ietfa.amsl.com>; Tue, 28 May 2013 21:46:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T22UKjwJG2D8 for <spfbis@ietfa.amsl.com>; Tue, 28 May 2013 21:46:25 -0700 (PDT)
Received: from mail-pa0-f50.google.com (mail-pa0-f50.google.com [209.85.220.50]) by ietfa.amsl.com (Postfix) with ESMTP id D929821F85B8 for <spfbis@ietf.org>; Tue, 28 May 2013 21:46:25 -0700 (PDT)
Received: by mail-pa0-f50.google.com with SMTP id fb11so7405473pad.9 for <spfbis@ietf.org>; Tue, 28 May 2013 21:46:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=EGqqTc0xr7Uw5/jIqIPM/BElkEm/7ZcUG7rSF9vH31k=; b=0qLkXc4C2yGUYyveKLiSeqrYGDCC6t8bjBt0/lhcD2PaU1jU83g5IoFauAVn3wJagM CGYgDvsRxHWU9G8SwTudlzqefeZsYimiUPYgI4A/vs1f2mD8sB7jkH1OPXaisl08uOrg /qQueOan7iIrkA7ienFE/d9X0dNM7eolH0jUqyA2WznouLu+0qUQQ8LgpH/e76hnNhfS GQ7ZoMpvivr4gcCegK1w/aUeKXD+xOPOdsFK6En6BKWw1vSml2SmSp9T6pMd/kIcoTcV nZi2x1eN4eXFE3c7dPgxq9T3zg+WH7lxitPUKlYWHVZF0HWtKdLXk1r0F+vY+aFQkQd6 pzbw==
X-Received: by 10.68.164.33 with SMTP id yn1mr1090708pbb.71.1369802785625; Tue, 28 May 2013 21:46:25 -0700 (PDT)
Received: from ?IPv6:2601:9:4d80:49:28f6:b4b6:27fe:79d6? ([2601:9:4d80:49:28f6:b4b6:27fe:79d6]) by mx.google.com with ESMTPSA id kv2sm35684434pbc.28.2013.05.28.21.46.23 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 28 May 2013 21:46:24 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_AC20CE27-2C69-4B2F-8B3D-8435CAC4DC9D"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <CAL0qLwan7JO4t2UB1uWYwwf1MmwhY56szenSY7awT_pNP5UjLg@mail.gmail.com>
Date: Tue, 28 May 2013 21:46:21 -0700
Message-Id: <B6A88D56-9318-40A3-8E0C-A49EE37A3F3F@gmail.com>
References: <A022755E-F8B8-4C82-9F1C-73B8585193BF@gmail.com> <6.2.5.6.2.20130528130858.0db81cd0@resistor.net> <CAL0qLwan7JO4t2UB1uWYwwf1MmwhY56szenSY7awT_pNP5UjLg@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
X-Mailer: Apple Mail (2.1503)
Cc: "spfbis@ietf.org" <spfbis@ietf.org>, S Moonesamy <sm+ietf@elandsys.com>
Subject: Re: [spfbis] WGLC: draft-ietf-spfbis-4408bis-14
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2013 04:46:36 -0000

On May 28, 2013, at 2:15 PM, Murray S. Kucherawy <superuser@gmail.com> wrote:

> On Tue, May 28, 2013 at 1:16 PM, S Moonesamy <sm+ietf@elandsys.com> wrote:
> Douglas Otis submitted draft-otis-spfbis-macros-nixed-00 [1] as WGLC comments about draft-ietf-spfbis-4408bis-14.  Could the SPFBIS WG please read the draft-otis-spfbis-macros-nixed-00 and comment about it?
> 
> 
> I have reviewed the draft, as requested.  My responses:
> 
> Nixing macros based on non-use has already been debated at length, to the point of a low-level appeal, and it's been decided that they're staying.  There's no action for the WG here based on that argument.

Dear Murray,

A pertinent point regarding the decision that receivers must process macros is whether it represents a reasonable demand.  SPF records containing macros can not cache results and will always necessitate reprocessing.  If macro processing is skipped, any expectation of preserving interchange is lost.  In other words, it is broken by design by asking too much from receivers.
   
> Beyond that, I disagree that macros "diminish" SPF's utility in any way; their mere presence in the protocol doesn't render it less useful, as one may simply not use them and still get useful results.

When the main purported use is to determine a domain's outbound IP addresses, macros preclude this prevalent use offering the greatest utility, bar none.

> I would argue that DMARC, which makes use of SPF in a specific way, should not influence SPF itself at this point as DMARC has no particular status with the IETF yet.

DMARC does not differ in how many hoped to make use of SPF.  Desired use is very much at odds with stated SPF processing which is likely to require subsequent reprocessing, with increased burdens and layer violations.   

> The dropping of type 99 RRTYPE support was made for more reasons than just "sparse use", so I don't find that part of Doug's arguments compelling.  I think we reached consensus on that debate long ago, and it's been beaten to death recently once again on the main IETF list.

Mark Andrews made good points about increasing use of SPF 99 not shown in your survey.  The general goal should be to ensure unknown RR types are accommodated.  Unfortunately, some vendors still don't.

> The local-part macro attack has been discussed to death.  There's no new information presented here that I can see.
> 
> Saying RFC6686 "failed to provide a breakdown on macro use" is to imply that it should have.  Analysis of macro use was not part of the goal set of that document, so it's strange to identify this as a failure.  However, I still have those data available should there be some demonstrated purpose for mining the data further.  Or, Doug can do his own survey and see what he finds.

IMHO, it was wrong (a failing) to limit a review of SPF to answer only whether the PRA mode was being used.  This review should have also focused on both macro publication and macro processing.  Whether it is local-part macro or any other macro, cached results are not useful and much of the SPF utility for defining a domain's outbound address space is lost.  Since there is only 0.053% of domains using macros, it becomes an easy trade-off some providers make.  They even have stated ignoring SPF records containing macros do not result in complaints.

> The document mentions use of macros given the advent of EAI, but I believe the current spfbis document already deals with this in the same way DKIM did.  Someone more expert in EAI than I am might want to confirm we've done our due diligence there.

It can no longer be assumed domains will be encoded as A-labels. In addition, it can not be assumed the local-part will be ASCII.  Such changes can place spf libraries at risk.  In a quick review, it seems some unused features in the libraries might permit induced buffer overruns.  Adding in additional conversion libraries introduces more risk which might compromise SMTP servers.  Nothing justifies these types of risks to support something that is practically unused.  

> Overall, I don't think this draft introduces any new material such that the WG needs to revisit anything since WGLC closed.

The macros nixed draft was just updated to better clarify these concerns.

http://tools.ietf.org/html/draft-otis-spfbis-macros-nixed-01

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email