IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Tue, 08 February 2022 00:09 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D53B3A1084 for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 16:09:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p79BR7UVrT8N for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 16:09:17 -0800 (PST)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 404F83A1075 for <spfbis@ietf.org>; Mon, 7 Feb 2022 16:09:16 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 53B1F240101 for <spfbis@ietf.org>; Tue, 8 Feb 2022 01:09:13 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644278954; bh=FtPXNxuppjkF+RZE5y6sgOLPYjLS9nNbU/ExowqE1NQ=; h=Date:Subject:To:Cc:From:From; b=FYXpJ4cBUZICoUqCmgWYiWCs/ZHverYAmPDEGgP89AthfRdxyuOvzKyjifyXUugSG SDd7XKQg1w60bTmVS7Du1KBEdgOJk8vo/MFrXFcKA1gjyvZCJw0uOU258lZ8ZwmNwp fUwjMRYs34QIuuJzzO+GMDrNFP/F00l0qt7zsFAm7A+D2vic8dMQ+cXBi41kyNbYRc TWKiEtQuGP41mGskBR+z9puG38MxeUIJFObQsrh2kTEw3Fm3C86WVYv6z/+G+S1Nzo YeybE/KY2qupGHrIV/QXAariFG93LNYSs6wXt8uTUFCsI0KiiwiHFltlOs9SjRNdbX hRbptwA6fO10A==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4Jt3K513H9z9rxF; Tue, 8 Feb 2022 01:09:12 +0100 (CET)
Message-ID: <411a41fe-ff2d-5fa8-d2d1-68706b57c838@posteo.de>
Date: Tue, 08 Feb 2022 00:09:12 +0000
MIME-Version: 1.0
Content-Language: en-US
To: Mark Andrews <marka@isc.org>
Cc: spfbis@ietf.org
References: <20220206221619.53E4836687AF@ary.qy> <2244581.DCeBYFrMaS@localhost> <8d7a6274-8546-3145-17e3-c20c29d6df2e@posteo.de> <997A20D6-2C1F-4EE6-89E1-F8A595446941@isc.org>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <997A20D6-2C1F-4EE6-89E1-F8A595446941@isc.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms060302010708050804000105"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/c3IwXPN4lDIKdwVWRqtj4v50Yss>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Feb 2022 00:09:22 -0000

On 2022-02-08 00:57, Mark Andrews wrote:
>
>> On 8 Feb 2022, at 02:19, Klaus Frank <klaus.frank@posteo.de> wrote:
>>
>> On 2022-02-07 15:28, Scott Kitterman wrote:
>>> On Sunday, February 6, 2022 5:16:18 PM EST John Levine wrote:
>>>> It appears that Scott Kitterman  <spf2@kitterman.com> said:
>>>>> It looks like situations like this one were contemplated by the RFC 6147
>>>>>
>>>>> authors:
>>>>>> 6.  Deployment Notes
>>>>>>
>>>>>>     While DNS64 is intended to be part of a strategy for aiding IPv6
>>>>>>     deployment in an internetworking environment with some IPv4-only and
>>>>>>     IPv6-only networks, it is important to realize that it is
>>>>>>     incompatible with some things that may be deployed in an IPv4-only or
>>>>>>     dual-stack context.
>>>>> On the SPF side of the discussion, I think it would, at least in theory, be
>>>>> feasible to interpret an ip4: mechanism as <prefix> + <address> if the
>>>>> connection is IPv6, but I don't see how a receiving SPF processor could
>>>>> know what the prefix is.  As I read RFC 6147 Section 5.2, it could be
>>>>> anything.
>>>> See RFCs 7050 and 8880 for how you find the prefix(es).
>>>>
>>>> That seems like a more reasonable way to go, patch the SPF library so it
>>>> can use the NAT's Pref64 to fudge the interpretation of ip4 and ptr.
>>>>
>>>> It looks like you could automate the entire thing -- when the library starts
>>>> up, do an AAAA query on ipv4only.arpa, and if you get plausible answers,
>>>> you know you're behind NAT64 and reinterpret ip4 and ptr terms
>>>> appropriately.
>>> Thanks.
>>>
>>> Reading RFC 7050, it looks like ipv4only.arpa can return more than one name.
>>> That would seem to be a complication if I'm reading it correctly.
>>>
>>> As a practical matter, it probably doesn't matter, but RFC 7050 doesn't update
>>> RFC 6147, so in theory other prefix determination methods could be used.
>>>
>>> I guess the ::ffff:0:0/96 (IPv4-mapped Address) prefix should be considered
>>> similarly.
>> Oh yes, for sure good that you remind me of this one. We had one mailserver application (proprietary) that once we changed the binding from "0.0.0.0:25" to "[::]:25" on a linux system got everything as ::ffff:0:0/96 and SPF validation also failed. But I'm not sure if that was an implementation simplification on their end or a OS dependent behavior of when binding a socket... The workaround we got was to "just deploy another VM for IPv6 and put them behind the same public DNS name. One for IPv4 and another one for the IPv6"
> One could have just set IPV6_V6ONLY=1 at the system level (sysctl net.ipv6.bindv6only=1) or prior to bind(2)
> on the individual sockets if you don’t want mapped connections.  IPV6_V6ONLY is described in RFC 2535, Basic
> Socket Interface Extensions for IPv6 (February 2003) and is in also in POSIX as of 2008.  Alternatively SPF
> libraries could just learn about mapped connections and apply IPv4 rules against them.

Thanks for the hint. I know that that existed, but didn't know how to 
configure it or what exactly causes it.

Also I just re-read the SPF record RFC, and it indeed should already 
cover IPv4-mapped IPv6. So strictly speaking that's a violation of the 
RFC and therefore an implementation bug...

    When any mechanism fetches host addresses to compare with <ip>, when
    <ip> is an IPv4, "A" records are fetched; when <ip> is an IPv6
    address, "AAAA" records are fetched.  SPF implementations on IPv6
    servers *need to handle both "AAAA" and "A" records, for clients on**
**   IPv4-mapped IPv6 addresses *[RFC4291].  IPv4 <ip> addresses are only
    listed in an SPF record using the "ip4" mechanism.

>>> Is there enough here that it would be worth an Applicability Statement?
>>>
>>> Scott K
>>>
>>>
>>>
>>> _______________________________________________
>>> spfbis mailing list
>>> spfbis@ietf.org
>>> https://www.ietf.org/mailman/listinfo/spfbis
>> _______________________________________________
>> spfbis mailing list
>> spfbis@ietf.org
>> https://www.ietf.org/mailman/listinfo/spfbis

v2.23.0 | Report a Bug | By Email