IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Mon, 07 February 2022 15:19 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD3DE3A0826 for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 07:19:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZyK1y9olqh_R for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 07:19:18 -0800 (PST)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 672E63A082C for <spfbis@ietf.org>; Mon, 7 Feb 2022 07:19:18 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 14257240101 for <spfbis@ietf.org>; Mon, 7 Feb 2022 16:19:14 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644247155; bh=q9Z2Jn8kltN3alE8vahSA9xvtYIIFbuWrs918wDCfW4=; h=Date:Subject:To:From:From; b=r/OWBv3/lV8zidUtuVGyd+B49pkLFSccyazYTPVsdRVkontALEul8+mBrRVb5wBgt XvS1mxhmctebyCnqQDCEQqXJVcp+rRtI/M+6oK9JOH00toJOaie/WtfJmaCtyQLYru 9OzPaTkcmnBFomFWeff5bWdyuCh9TUQOswazq1AfN4bxdbu+Hu3Dc72/21ACdD3UxX jmMjF3VgbzMEa2ZTwbIq3xHXKjIKXKbJ8UvMEb/ECcTGgmF7abpQxhOLCuBoiX0r9W VlWV5dO+mTQKoxmzW5pXWrT2UV+7cUHMu1h3PGv/+WzDHgFUyobv5iehX4dsL6BMeG 2EdmjT6idV9XA==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4JsqYZ0HRQz9rxB for <spfbis@ietf.org>; Mon, 7 Feb 2022 16:19:13 +0100 (CET)
Message-ID: <8d7a6274-8546-3145-17e3-c20c29d6df2e@posteo.de>
Date: Mon, 07 Feb 2022 15:19:12 +0000
MIME-Version: 1.0
Content-Language: en-US
To: spfbis@ietf.org
References: <20220206221619.53E4836687AF@ary.qy> <2244581.DCeBYFrMaS@localhost>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <2244581.DCeBYFrMaS@localhost>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms050701000809050504040903"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/bcH09i_4XJKUHHjdxca89F_OkVE>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 15:19:24 -0000

On 2022-02-07 15:28, Scott Kitterman wrote:
> On Sunday, February 6, 2022 5:16:18 PM EST John Levine wrote:
>> It appears that Scott Kitterman  <spf2@kitterman.com> said:
>>> It looks like situations like this one were contemplated by the RFC 6147
>>>
>>> authors:
>>>> 6.  Deployment Notes
>>>>
>>>>     While DNS64 is intended to be part of a strategy for aiding IPv6
>>>>     deployment in an internetworking environment with some IPv4-only and
>>>>     IPv6-only networks, it is important to realize that it is
>>>>     incompatible with some things that may be deployed in an IPv4-only or
>>>>     dual-stack context.
>>> On the SPF side of the discussion, I think it would, at least in theory, be
>>> feasible to interpret an ip4: mechanism as <prefix> + <address> if the
>>> connection is IPv6, but I don't see how a receiving SPF processor could
>>> know what the prefix is.  As I read RFC 6147 Section 5.2, it could be
>>> anything.
>> See RFCs 7050 and 8880 for how you find the prefix(es).
>>
>> That seems like a more reasonable way to go, patch the SPF library so it
>> can use the NAT's Pref64 to fudge the interpretation of ip4 and ptr.
>>
>> It looks like you could automate the entire thing -- when the library starts
>> up, do an AAAA query on ipv4only.arpa, and if you get plausible answers,
>> you know you're behind NAT64 and reinterpret ip4 and ptr terms
>> appropriately.
> Thanks.
>
> Reading RFC 7050, it looks like ipv4only.arpa can return more than one name.
> That would seem to be a complication if I'm reading it correctly.
>
> As a practical matter, it probably doesn't matter, but RFC 7050 doesn't update
> RFC 6147, so in theory other prefix determination methods could be used.
>
> I guess the ::ffff:0:0/96 (IPv4-mapped Address) prefix should be considered
> similarly.
Oh yes, for sure good that you remind me of this one. We had one 
mailserver application (proprietary) that once we changed the binding 
from "0.0.0.0:25" to "[::]:25" on a linux system got everything as 
::ffff:0:0/96 and SPF validation also failed. But I'm not sure if that 
was an implementation simplification on their end or a OS dependent 
behavior of when binding a socket... The workaround we got was to "just 
deploy another VM for IPv6 and put them behind the same public DNS name. 
One for IPv4 and another one for the IPv6"
> Is there enough here that it would be worth an Applicability Statement?
>
> Scott K
>
>
>
> _______________________________________________
> spfbis mailing list
> spfbis@ietf.org
> https://www.ietf.org/mailman/listinfo/spfbis

v2.23.0 | Report a Bug | By Email