IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

Mark Andrews <marka@isc.org> Tue, 08 February 2022 00:28 UTC

Return-Path: <marka@isc.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 463C23A0F5C for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 16:28:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=VUxwDXNt; dkim=pass (1024-bit key) header.d=isc.org header.b=f0XGh8pi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ra8GqmZ43PuV for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 16:28:31 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C76063A10B3 for <spfbis@ietf.org>; Mon, 7 Feb 2022 16:28:27 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 822A23AB006; Tue, 8 Feb 2022 00:28:25 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 822A23AB006
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1644280105; bh=q1Keazx95hBWyNl78qXrAm+NMD3zOa6MrA1/Nh35aKw=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=VUxwDXNt8wZxpx5l13UPs2rgWJHtt9Z1Zq36MVIWgmjHK4DX5dcrDW00iEc3mhWIQ 8lGrDUk5XQbuwDjK1PVyO4hlnWTyR0R2tZ4TDiykhfwS47czOiU7erDwhJtUZQ5G0P btGFbFscxGbGR2StIoyxzL+tc3oBvRgtICFHOpxo=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 6F900FE58BB; Tue, 8 Feb 2022 00:28:25 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 40B10FE5B9F; Tue, 8 Feb 2022 00:28:25 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 40B10FE5B9F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1644280105; bh=JbPLpDY3ySuYf+wYlt8gRlGBg5egvvL9ZrRMi7xeA/k=; h=Mime-Version:From:Date:Message-Id:To; b=f0XGh8piJ7gIO+alBXnaRzvrMLYfKgY2Ky7XcoH+B9igygNz8m1gFfdcbn46mKCtf eyewnaGFIwhfNOQk4vX4soVE0PP8Sj5vSmZP2gCkC5kHG7E/ppv5Ib3IqrfApWhAM6 xF/ttLvJ9Ey3TQRDLxA1L/JA88Q7If73hFL0Qr28=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3xhJvJIxQSec; Tue, 8 Feb 2022 00:28:25 +0000 (UTC)
Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id 948CDFE58BB; Tue, 8 Feb 2022 00:28:24 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <411a41fe-ff2d-5fa8-d2d1-68706b57c838@posteo.de>
Date: Tue, 08 Feb 2022 11:28:22 +1100
Cc: spfbis@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <9B9FE83E-DF07-4CA0-A27D-62C8172B88CD@isc.org>
References: <20220206221619.53E4836687AF@ary.qy> <2244581.DCeBYFrMaS@localhost> <8d7a6274-8546-3145-17e3-c20c29d6df2e@posteo.de> <997A20D6-2C1F-4EE6-89E1-F8A595446941@isc.org> <411a41fe-ff2d-5fa8-d2d1-68706b57c838@posteo.de>
To: Klaus Frank <klaus.frank@posteo.de>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/T9nvdylsjzM3egSw2azoY5awNR4>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Feb 2022 00:28:36 -0000


> On 8 Feb 2022, at 11:09, Klaus Frank <klaus.frank@posteo.de> wrote:
> 
> 
> On 2022-02-08 00:57, Mark Andrews wrote:
>> 
>>> On 8 Feb 2022, at 02:19, Klaus Frank <klaus.frank@posteo.de> wrote:
>>> 
>>> On 2022-02-07 15:28, Scott Kitterman wrote:
>>>> On Sunday, February 6, 2022 5:16:18 PM EST John Levine wrote:
>>>>> It appears that Scott Kitterman  <spf2@kitterman.com> said:
>>>>>> It looks like situations like this one were contemplated by the RFC 6147
>>>>>> 
>>>>>> authors:
>>>>>>> 6.  Deployment Notes
>>>>>>> 
>>>>>>>    While DNS64 is intended to be part of a strategy for aiding IPv6
>>>>>>>    deployment in an internetworking environment with some IPv4-only and
>>>>>>>    IPv6-only networks, it is important to realize that it is
>>>>>>>    incompatible with some things that may be deployed in an IPv4-only or
>>>>>>>    dual-stack context.
>>>>>> On the SPF side of the discussion, I think it would, at least in theory, be
>>>>>> feasible to interpret an ip4: mechanism as <prefix> + <address> if the
>>>>>> connection is IPv6, but I don't see how a receiving SPF processor could
>>>>>> know what the prefix is.  As I read RFC 6147 Section 5.2, it could be
>>>>>> anything.
>>>>> See RFCs 7050 and 8880 for how you find the prefix(es).
>>>>> 
>>>>> That seems like a more reasonable way to go, patch the SPF library so it
>>>>> can use the NAT's Pref64 to fudge the interpretation of ip4 and ptr.
>>>>> 
>>>>> It looks like you could automate the entire thing -- when the library starts
>>>>> up, do an AAAA query on ipv4only.arpa, and if you get plausible answers,
>>>>> you know you're behind NAT64 and reinterpret ip4 and ptr terms
>>>>> appropriately.
>>>> Thanks.
>>>> 
>>>> Reading RFC 7050, it looks like ipv4only.arpa can return more than one name.
>>>> That would seem to be a complication if I'm reading it correctly.
>>>> 
>>>> As a practical matter, it probably doesn't matter, but RFC 7050 doesn't update
>>>> RFC 6147, so in theory other prefix determination methods could be used.
>>>> 
>>>> I guess the ::ffff:0:0/96 (IPv4-mapped Address) prefix should be considered
>>>> similarly.
>>> Oh yes, for sure good that you remind me of this one. We had one mailserver application (proprietary) that once we changed the binding from "0.0.0.0:25" to "[::]:25" on a linux system got everything as ::ffff:0:0/96 and SPF validation also failed. But I'm not sure if that was an implementation simplification on their end or a OS dependent behavior of when binding a socket... The workaround we got was to "just deploy another VM for IPv6 and put them behind the same public DNS name. One for IPv4 and another one for the IPv6"
>> One could have just set IPV6_V6ONLY=1 at the system level (sysctl net.ipv6.bindv6only=1) or prior to bind(2)
>> on the individual sockets if you don’t want mapped connections.  IPV6_V6ONLY is described in RFC 2535, Basic
>> Socket Interface Extensions for IPv6 (February 2003) and is in also in POSIX as of 2008.  Alternatively SPF
>> libraries could just learn about mapped connections and apply IPv4 rules against them.
> 
> Thanks for the hint. I know that that existed, but didn't know how to configure it or what exactly causes it.
> 
> Also I just re-read the SPF record RFC, and it indeed should already cover IPv4-mapped IPv6. So strictly speaking that's a violation of the RFC and therefore an implementation bug...
> 
>    When any mechanism fetches host addresses to compare with <ip>, when
>    <ip> is an IPv4, "A" records are fetched; when <ip> is an IPv6
>    address, "AAAA" records are fetched.  SPF implementations on IPv6
>    servers *need to handle both "AAAA" and "A" records, for clients on**
> **   IPv4-mapped IPv6 addresses *[RFC4291].  IPv4 <ip> addresses are only
>    listed in an SPF record using the "ip4" mechanism.

The SPF libraries (or the MTAs) could also use RFC 8781, Discovering PREF64
in Router Advertisements.  Failing that, as has already been mentioned they
could use ipv6only.arpa to get the mapping.

>>>> Is there enough here that it would be worth an Applicability Statement?
>>>> 
>>>> Scott K
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> spfbis mailing list
>>>> spfbis@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/spfbis
>>> _______________________________________________
>>> spfbis mailing list
>>> spfbis@ietf.org
>>> https://www.ietf.org/mailman/listinfo/spfbis

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email