Re: [spfbis] RFC6147 and RFC7208 interoperability issues
Klaus Frank <klaus.frank@posteo.de> Tue, 08 February 2022 00:09 UTC
Return-Path: <klaus.frank@posteo.de>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D53B3A1084 for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 16:09:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p79BR7UVrT8N for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 16:09:17 -0800 (PST)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 404F83A1075 for <spfbis@ietf.org>; Mon, 7 Feb 2022 16:09:16 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 53B1F240101 for <spfbis@ietf.org>; Tue, 8 Feb 2022 01:09:13 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644278954; bh=FtPXNxuppjkF+RZE5y6sgOLPYjLS9nNbU/ExowqE1NQ=; h=Date:Subject:To:Cc:From:From; b=FYXpJ4cBUZICoUqCmgWYiWCs/ZHverYAmPDEGgP89AthfRdxyuOvzKyjifyXUugSG SDd7XKQg1w60bTmVS7Du1KBEdgOJk8vo/MFrXFcKA1gjyvZCJw0uOU258lZ8ZwmNwp fUwjMRYs34QIuuJzzO+GMDrNFP/F00l0qt7zsFAm7A+D2vic8dMQ+cXBi41kyNbYRc TWKiEtQuGP41mGskBR+z9puG38MxeUIJFObQsrh2kTEw3Fm3C86WVYv6z/+G+S1Nzo YeybE/KY2qupGHrIV/QXAariFG93LNYSs6wXt8uTUFCsI0KiiwiHFltlOs9SjRNdbX hRbptwA6fO10A==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Jt3K513H9z9rxF; Tue, 8 Feb 2022 01:09:12 +0100 (CET)
Message-ID: <411a41fe-ff2d-5fa8-d2d1-68706b57c838@posteo.de>
Date: Tue, 08 Feb 2022 00:09:12 +0000
MIME-Version: 1.0
Content-Language: en-US
To: Mark Andrews <marka@isc.org>
Cc: spfbis@ietf.org
References: <20220206221619.53E4836687AF@ary.qy> <2244581.DCeBYFrMaS@localhost> <8d7a6274-8546-3145-17e3-c20c29d6df2e@posteo.de> <997A20D6-2C1F-4EE6-89E1-F8A595446941@isc.org>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <997A20D6-2C1F-4EE6-89E1-F8A595446941@isc.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms060302010708050804000105"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/c3IwXPN4lDIKdwVWRqtj4v50Yss>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Feb 2022 00:09:22 -0000
On 2022-02-08 00:57, Mark Andrews wrote: > >> On 8 Feb 2022, at 02:19, Klaus Frank <klaus.frank@posteo.de> wrote: >> >> On 2022-02-07 15:28, Scott Kitterman wrote: >>> On Sunday, February 6, 2022 5:16:18 PM EST John Levine wrote: >>>> It appears that Scott Kitterman <spf2@kitterman.com> said: >>>>> It looks like situations like this one were contemplated by the RFC 6147 >>>>> >>>>> authors: >>>>>> 6. Deployment Notes >>>>>> >>>>>> While DNS64 is intended to be part of a strategy for aiding IPv6 >>>>>> deployment in an internetworking environment with some IPv4-only and >>>>>> IPv6-only networks, it is important to realize that it is >>>>>> incompatible with some things that may be deployed in an IPv4-only or >>>>>> dual-stack context. >>>>> On the SPF side of the discussion, I think it would, at least in theory, be >>>>> feasible to interpret an ip4: mechanism as <prefix> + <address> if the >>>>> connection is IPv6, but I don't see how a receiving SPF processor could >>>>> know what the prefix is. As I read RFC 6147 Section 5.2, it could be >>>>> anything. >>>> See RFCs 7050 and 8880 for how you find the prefix(es). >>>> >>>> That seems like a more reasonable way to go, patch the SPF library so it >>>> can use the NAT's Pref64 to fudge the interpretation of ip4 and ptr. >>>> >>>> It looks like you could automate the entire thing -- when the library starts >>>> up, do an AAAA query on ipv4only.arpa, and if you get plausible answers, >>>> you know you're behind NAT64 and reinterpret ip4 and ptr terms >>>> appropriately. >>> Thanks. >>> >>> Reading RFC 7050, it looks like ipv4only.arpa can return more than one name. >>> That would seem to be a complication if I'm reading it correctly. >>> >>> As a practical matter, it probably doesn't matter, but RFC 7050 doesn't update >>> RFC 6147, so in theory other prefix determination methods could be used. >>> >>> I guess the ::ffff:0:0/96 (IPv4-mapped Address) prefix should be considered >>> similarly. >> Oh yes, for sure good that you remind me of this one. We had one mailserver application (proprietary) that once we changed the binding from "0.0.0.0:25" to "[::]:25" on a linux system got everything as ::ffff:0:0/96 and SPF validation also failed. But I'm not sure if that was an implementation simplification on their end or a OS dependent behavior of when binding a socket... The workaround we got was to "just deploy another VM for IPv6 and put them behind the same public DNS name. One for IPv4 and another one for the IPv6" > One could have just set IPV6_V6ONLY=1 at the system level (sysctl net.ipv6.bindv6only=1) or prior to bind(2) > on the individual sockets if you don’t want mapped connections. IPV6_V6ONLY is described in RFC 2535, Basic > Socket Interface Extensions for IPv6 (February 2003) and is in also in POSIX as of 2008. Alternatively SPF > libraries could just learn about mapped connections and apply IPv4 rules against them. Thanks for the hint. I know that that existed, but didn't know how to configure it or what exactly causes it. Also I just re-read the SPF record RFC, and it indeed should already cover IPv4-mapped IPv6. So strictly speaking that's a violation of the RFC and therefore an implementation bug... When any mechanism fetches host addresses to compare with <ip>, when <ip> is an IPv4, "A" records are fetched; when <ip> is an IPv6 address, "AAAA" records are fetched. SPF implementations on IPv6 servers *need to handle both "AAAA" and "A" records, for clients on** ** IPv4-mapped IPv6 addresses *[RFC4291]. IPv4 <ip> addresses are only listed in an SPF record using the "ip4" mechanism. >>> Is there enough here that it would be worth an Applicability Statement? >>> >>> Scott K >>> >>> >>> >>> _______________________________________________ >>> spfbis mailing list >>> spfbis@ietf.org >>> https://www.ietf.org/mailman/listinfo/spfbis >> _______________________________________________ >> spfbis mailing list >> spfbis@ietf.org >> https://www.ietf.org/mailman/listinfo/spfbis
- [spfbis] RFC6147 and RFC7208 interoperability iss… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Scott Kitterman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Marc Blanchet
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Scott Kitterman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Scott Kitterman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… John Levine
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Mark Andrews
- Re: [spfbis] RFC6147 and RFC7208 interoperability… John Levine
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Ángel
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Scott Kitterman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [spfbis] RFC6147 and RFC7208 interoperability… John Levine
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Scott Kitterman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… John Levine
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [spfbis] RFC6147 and RFC7208 interoperability… John Levine
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Andrew Sullivan
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Stuart D Gathman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Ángel
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Scott Kitterman
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Mark Andrews
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Klaus Frank
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Mark Andrews
- Re: [spfbis] RFC6147 and RFC7208 interoperability… william
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Alessandro Vesely
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Hector Santos
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Mark Andrews
- Re: [spfbis] RFC6147 and RFC7208 interoperability… Mark Andrews