IETF Logo Mail Archive

Re: [spfbis] RFC6147 and RFC7208 interoperability issues

John Levine <johnl@taugh.com> Mon, 07 February 2022 17:31 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FA483A0FCB for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 09:31:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.85
X-Spam-Level:
X-Spam-Status: No, score=-6.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=hC1O2f69; dkim=pass (2048-bit key) header.d=taugh.com header.b=O/urshfN
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vWGOzXwhQ1nn for <spfbis@ietfa.amsl.com>; Mon, 7 Feb 2022 09:31:34 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 695BA3A0FC2 for <spfbis@ietf.org>; Mon, 7 Feb 2022 09:31:34 -0800 (PST)
Received: (qmail 41644 invoked from network); 7 Feb 2022 17:31:31 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=a2a0.62015773.k2202; bh=WR35AjToTlCVJcOtE34/DMfh45fDAe770axeWlUnwjc=; b=hC1O2f69mkXM4B7jadj9DZsYN56MS0xuehX//YjNWmPafXYlVnEG5pw2J1eWUMZUtTF4WmXLcuJGo/ZijB8WtLixZwPEywvSBM7XphEHqP5W2wwaCbtfwLFV3g4csWPRPkwziwJR89GBQGBBp9xd73vhBKx6NJ5zWlJlSEGK19nMTiV8wtwfV/g88JGxT5PPQUkpfwkl3nphmbW34fUxJredLW3W9DLj1zVWVQzohKUCk4LXe65nUT9a/w8gwZzzIqqVsbDcAIOeF+xiV/tui0FPH9NT8vCYhIWClH30LXCd/HF4Mi+73ixKOCJcp5WdhvSv04xSkI9qPth6DZLzDg==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=a2a0.62015773.k2202; bh=WR35AjToTlCVJcOtE34/DMfh45fDAe770axeWlUnwjc=; b=O/urshfNMvmKem7Tk9daBVBgHHWK4juoV+CCYqw0u71A/69ekwQZDjGQfXCgDKaFB0/Fqrs7lUurYnKVGYq+7xMTla3MG31oaNX1wAcC6aIClXG0AlHyVfAHo2eyIWNZsOCnl6qbbTxRX+SXhxZe70YfhQdH+PMagaMDDEql/AKS15G86Pz5L/khLSUjtVxiQsNmY6kVrycPv7NKC0OMbx5b2nJQt8c+9x4+1U1uCQI6uZ6xtzyXCI2oWEONgsoK5VDj3ZyZhI9aPrS3PViTb9DCurpPzGgz2BLWzjoWEFdfQHQcPJWo8irIaHmqi4TDoUTHqFaODy4PF3XTkUaXeg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 07 Feb 2022 17:31:30 -0000
Received: by ary.qy (Postfix, from userid 501) id B8DE4367046B; Mon, 7 Feb 2022 12:31:28 -0500 (EST)
Date: Mon, 07 Feb 2022 12:31:28 -0500
Message-Id: <20220207173129.B8DE4367046B@ary.qy>
From: John Levine <johnl@taugh.com>
To: spfbis@ietf.org
Cc: spf2@kitterman.com
In-Reply-To: <6024307.Q3qkd2Czva@localhost>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/jQ7ZdCWyD01hJIelYTtIQsDtsnw>
Subject: Re: [spfbis] RFC6147 and RFC7208 interoperability issues
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Feb 2022 17:31:40 -0000

It appears that Scott Kitterman  <spf2@kitterman.com> said:
>OTOH, how long has DNS64 been deployed (I don't know)?  Will it see increased 
>deployment in the future, so this is the leading edge of the issue?

I think DNS64 and NAT64 fall into the category of "nice try". The idea
was that your devices could all be IPv6 only and the complexity would
all be in the NAT and the DNS translator.

But we now know that DNS64 breaks DNSSEC, it breaks SPF, and as Andrew
has pointed out, it likely breaks other stuff too. NAT64 and DNS64 are
probably OK for mobile networks where everything is a client and P2P
servers are discouraged.

But in reality, all devices are dual stacked, and networks use NAT44
to connect to the IPv4 outside world. I have a bunch of servers at
AWS. They all have real IPv6 addrsses and local 10/8 addresses. The
ones that need to be visible from outside have static real IPv4
addresses routed through the NAT (rumor says at least two levels of
NAT.) The others can get a temporary address from the AWS pool while
they are active. What my hosts see is a /16 of 10/8 where I can
activate /24 subnets in different geographic regions.

It works fine. There is no messing with the DNS, DNSSEC works, the
remote IPv4 addresses my servers see are the real ones so if they were
doing SPF, it would work too.

For a long time the IETF desperately tried to pretend that NAT44 was
useless or stupid or didn't exist, and there were a few attempts to
do something that wasn't NAT44.  I think this is one of them.

R's,
John

v2.23.0 | Report a Bug | By Email