IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)

Daniel Margolis <dan@af0.net> Fri, 04 May 2018 18:25 UTC

Return-Path: <dan@af0.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52871124234 for <uta@ietfa.amsl.com>; Fri, 4 May 2018 11:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=af0.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r81gTgyg2Woc for <uta@ietfa.amsl.com>; Fri, 4 May 2018 11:25:35 -0700 (PDT)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6932E12D88B for <uta@ietf.org>; Fri, 4 May 2018 11:25:35 -0700 (PDT)
Received: by mail-wm0-x22b.google.com with SMTP id j5-v6so6377939wme.5 for <uta@ietf.org>; Fri, 04 May 2018 11:25:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=af0.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=o02xcib2DukTTumkpUb42TiJ6f3FHZoG+/igjHBS8yQ=; b=WgIZ6fXX4SNCKvApULuDFykaX1YrSSpraSEi1xWsEQaQcfFiFLXuyDICFxuHRdzmCj 8kO0o+87Zk4tfdeJNcvUUjyghEszG9tFQavnJepdvvGvtdOHJnSCT8KAdWNCT6wm6Ovb 8eVXLPpCuwQsFZC4DbAL/Jz6fcwvEi8A5LFzY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=o02xcib2DukTTumkpUb42TiJ6f3FHZoG+/igjHBS8yQ=; b=NDoKQ2MDIz1KlpV5wOqA+3hZKmybxmtK8zWIZZVD/8C3aaZomQDoLTOGfEQCIUcqVI fqPciftc4wWy68EY0WsQlTMRmVwtEJnW7JXZ5AhgrzBWkt1eIhoNjUE2y6gKGCn1Hl5D EEqoAh6yIUOUIxXSDeePRzD1Ylha26f8dc/Ukm9sx7sa2Nh8T5qViiD3XZDB2gVgfyLK ZKl7zVkNSMGO+GcxibS2pVS5Y4oyaqAjxfarV9/FmGYuncIBt/nwLkan75i7ZnQ0hFmt rlmOMV2LS1QBfQlBDDpu5CBSWn5OZk97rC6537mRFeHNH5IvqpPBCThTdR7iVkamBkd6 JTQg==
X-Gm-Message-State: ALQs6tAZnjNISsFArPFMOnajV0pUMrJzY0RnAk/Aoi09GJFg43w9M5vc kMRupLgp5FcD7171++zWiK4ouQBW8ax/FvFUBXg9aw==
X-Google-Smtp-Source: AB8JxZqWvk5E/5hTpSr+sELbgF+k4iQDLHn2CPoJeKBhfeD4FopqdNOCqX96WixtYZZX4iMlPg0q66S4M6BP3VRpJns=
X-Received: by 2002:a50:8f65:: with SMTP id 92-v6mr8894805edy.281.1525458333699; Fri, 04 May 2018 11:25:33 -0700 (PDT)
MIME-Version: 1.0
References: <152539648489.11713.7895583526344282774.idtracker@ietfa.amsl.com> <20180504051945.GS3322@mournblade.imrryr.org> <CABcZeBORH1iKZ2QZb_DBcwsDdBDS8Nbxb_A6Q7RxNL6X6Xg_BQ@mail.gmail.com> <7A6E57A9-E7B5-4326-B4B5-7777DFCF8C44@dukhovni.org> <CABcZeBN-SHAnyevhRvXeZA_AJ1ED7+hxOKznmyjyfiSX-9ZeYw@mail.gmail.com> <0A702CAD-B5E0-4F6B-A32F-1CC6B86E65D1@dukhovni.org>
In-Reply-To: <0A702CAD-B5E0-4F6B-A32F-1CC6B86E65D1@dukhovni.org>
From: Daniel Margolis <dan@af0.net>
Date: Fri, 04 May 2018 18:25:23 +0000
Message-ID: <CA+S86mVQXHi=R34vZJgvumj7QDyTRXfLJErE7wNCPcuwKjLLTw@mail.gmail.com>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
Cc: Eric Rescorla <ekr@rtfm.com>, uta@ietf.org, draft-ietf-uta-mta-sts@ietf.org, uta-chairs@ietf.org, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000199e4d056b657233"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/QBJozF4jqVXkNGYHWxZ173w0Xzs>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2018 18:25:38 -0000

Whoah. Long thread.

For the record, I believe it's trivial to implement the hostname filtering
without applying it to the MX selection loop (and I think I've made this
observation before): if an invalid certificate is (as it must be) detected
after connecting to the chosen MX candidate (and thus cannot be used to
"prefilter" the candidate list), then, similarly, one can merely reject MX
candidates after selecting them (i.e. without modifying the loop/candidate
logic) and simulate the same control flow. That said, I always read
Viktor's argument as being that by making this a check against the
presented certificate it ensures implementers do not modify the candidate
selection logic.

I also always felt a bit ambivalent about this entire discussion, insofar
as we are trying to design so that implementers of validating MTAs--of
which there aren't all that many--don't make mistakes. Both designs run a
risk of hypothetical mistakes, either in the wildcard-to-wildcard matching
or in the MX loop traversal. But neither mistake is applicable to system
administrators, but only to the much rarer set of MTA authors. This doesn't
mean we shouldn't consider it, of course, and I think the concerns voiced
are valid--but it still seems significant to me to keep that in mind.

I think that actually lends itself to documentary fixes--i.e., calling out
the risks and potential mis-implementations in either strategy for
uncareful readers.

On Fri, May 4, 2018 at 6:13 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
>
> > On May 4, 2018, at 11:45 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> >> If the meaning of the matching field were changed to be an
> >> MX hostname pattern, rather than a presented-identifet (RFC6125)
> >> pattern, then we'd need rather prominent warnings in the
> >> text about routing loop avoidance.
> >
> > Well, in general when STS is misconfigured you can have problems.
> > I don't see that this case is sufficiently important to go away from
> > standard TLS semantics.
>
> For the record, I'm concerned about implementation pitfalls,
> not misconfiguration.  A domain where not all the MX hosts
> are not listed in the STS policy is "normal" is not
> misconfigured per-se, STS-aware clients would send only
> via the secure MX hosts, other clients may use the full
> set.  This is not a recommended configuration, but it
> should work, provided at least one best-preference MX host
> is listed.
>
> The basic idea is that STS is there to secure mail routing,
> not trump it.  As much as possible mail routing should continue
> to be based on the MX host names.  An MX host not listed in the
> policy might never-the-less possess a certificate matching the
> policy (if the policy specifies presented-id patterns rather than
> MX host patterns).
>
> Which is not to say that alternative designs can't work, they'd
> emphasize doing TLS "by-the-book" over doing SMTP "by-the-book".
> My instinct is to do SMTP "by the book", the goal here is to deliver
> email, securely when possible.
>
> This protocol is an opportunistic upgrade from cleartext to
> unauthenticated TLS to authenticated TLS when STS policy is
> located and/or cached, some caution may be appropriate to not
> over-optimize for security at the expense of operational
> robustness.  Especially in the email space, fragile security
> gets turned off, RFC7435 and all that...
>
> One related observation (thanks for the hard questions that lead
> to the insight), perhaps worth mentioning in Security Considerations,
> is that with MTA-STS an attacker who can forge MX records or address
> RRsets of MX hosts can cause mail to bounce when the sender finds no
> A/AAAA records for any of the MX hosts. The reverse path may not be
> STS protected, and the bounce may return to the sender in the clear.
>
> An implementation that naively filters the MX RRset first,
> before eliminating MX hosts at the same or worse preference
> than the sending host is buggy, and I think this bug is quite
> likely.  These days few read a complete document cover to cover,
> we tend read the bits we think we need.  Information overload and
> all that.
>
> So the warning about MX loops would likely be needed in
> multiple places in the document to make MX patterns safer
> for implementors with a typical attention span.
>
> If the authors, IESG, the WG participants reading this, ...
> decide to go back to MX host patterns at this point, I
> won't stand in the way, I would just ask for prominent
> warnings about MX RRset truncation at the sending host's
> own preference (when found in the original MX RRset, forged
> or not) and above happening BEFORE any policy filtering of
> the MX RRset.
>
> --
>         Viktor.
>
>

v2.23.0 | Report a Bug | By Email