IETF Logo Mail Archive

Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)

Daniel Margolis <dan@af0.net> Sun, 06 May 2018 19:45 UTC

Return-Path: <dan@af0.net>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63E2112D7F7 for <uta@ietfa.amsl.com>; Sun, 6 May 2018 12:45:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=af0.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0VSFmhTUNjkj for <uta@ietfa.amsl.com>; Sun, 6 May 2018 12:45:00 -0700 (PDT)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD2B812D7EA for <uta@ietf.org>; Sun, 6 May 2018 12:44:56 -0700 (PDT)
Received: by mail-wm0-x229.google.com with SMTP id n10-v6so12649943wmc.1 for <uta@ietf.org>; Sun, 06 May 2018 12:44:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=af0.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8AfiaLTx+ftRPsj/5rE3a0rM8FvBONIBYM6DxJOzdE8=; b=IumJfAXQA8m7leTO5MGuYRZeOm/RfGqBfW76DStyX7uXMswltgbrdHM6uAmZiQdBi+ sBeURRDMAKIzX/rud94J9Ors4n7DSe2HXVfcME6e8g8xWyFc8aNJf6Sg/rPPnr3iXnjJ 5AZoN9YA9LYkqtETSfZigMFyfPpK4TBqFzK0A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8AfiaLTx+ftRPsj/5rE3a0rM8FvBONIBYM6DxJOzdE8=; b=rvElIvzVEgAXpvD6YLFXOl6yNjG9CfRSuuSoO5I4BO3NpBE3C4zol9hSXvut5hL5D1 aY4AyzWCZ/1zzCEHksABSucUp3V8qwYghWgl3xAVfjQRR5KPZiApfIdScsNw6E8tUMm6 U0JL4RXNYZYuBLkcB9pZAS0qi8DpxAyVBLO6SpL11UrYzweb2IphWVU1bWHzlj0J+GrO NGg0Nsl6GLXjvNlXcHAD3nLAFdCMOgD8dF/v7IA0FIPSxOun0JQwRVmwYbECKAzATaIh 5rICPg9ZoC3BPNPf8dXHo2eShbmG5Zx2vY4CI3lUIQ/px/1a+NVJyru9ESWHeFjVY+0V zoHg==
X-Gm-Message-State: ALQs6tBDPl6E3FgOWl1B2dzuipWg6+V/Qlp2axsf9ZsByc2eK7W9ExHy TxWTe/4MRrGR7aCwWKItYk2Dha0nRrGaVZ/dV1GdLg==
X-Google-Smtp-Source: AB8JxZrogNIvD383mwTKj8BeraCAR7QnbofJ1CB4bdmZ3pY9YQ8voe+KYxyThMstQ5Ccv1lqzID472DtYdWovDYXjsc=
X-Received: by 2002:a50:af05:: with SMTP id g5-v6mr22637044edd.286.1525635895120; Sun, 06 May 2018 12:44:55 -0700 (PDT)
MIME-Version: 1.0
References: <152539648489.11713.7895583526344282774.idtracker@ietfa.amsl.com> <CANtKdUeK_HpOYsP-CfhF7m7-DYiSX39xTMLxqZw-1UQsn29xyQ@mail.gmail.com> <78C81C6B-1C5F-4361-A3B7-40D9012E406A@dukhovni.org>
In-Reply-To: <78C81C6B-1C5F-4361-A3B7-40D9012E406A@dukhovni.org>
From: Daniel Margolis <dan@af0.net>
Date: Sun, 06 May 2018 19:44:44 +0000
Message-ID: <CA+S86mWSNwzG0_y_d=yg8Nqf9gxFud+8TAYWHY3Uw6aqn_JKog@mail.gmail.com>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
Cc: uta@ietf.org, draft-ietf-uta-mta-sts@ietf.org, uta-chairs@ietf.org, The IESG <iesg@ietf.org>, Leif Johansson <leifj@sunet.se>
Content-Type: multipart/alternative; boundary="00000000000095e2b1056b8ec994"
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/SCJj3ZQcAE2nE3xERm6mFO6M14Q>
Subject: Re: [Uta] Eric Rescorla's Discuss on draft-ietf-uta-mta-sts-17: (with DISCUSS and COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 May 2018 19:45:02 -0000

I don't believe that *pre-filtering *the MX candidate list is the only way
to do it. You could leave the loop as-is and just refuse to connect to
(i.e. treat as a transient connection failure) any candidate which fails
the policy validation. So this is an implementation question; modifying
loop pre-filtering is probably riskier than what we might call "connection
early termination", but both are compliant with the protocol.

The real difference between the two options is not, I think, this
implementation question, but that the current protocol technically allows
some valid configurations that are invalid in the MX-based
alternative--namely, the case where the certificate does not match the MX
hostname. That turns out to be fairly common (per
https://conferences.sigcomm.org/imc/2015/papers/p27.pdf), though, frankly,
I do not know that there's a good reason for admins to deliberately
configure a system in such a matter and, as a result, I don't believe
there's a strong argument for us preserving that flexibility.

I guess the tl;dr as far as I'm concerned is that I think either way really
can be done safely, that it's mostly a documentation issue, but I am
generally hesitant to change things now if we don't have to.

On Sun, May 6, 2018 at 8:41 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
>
> > On May 6, 2018, at 12:55 PM, Daniel Margolis <dmargolis@google.com>
> wrote:
> >
> > 2. Why is the "mx" pattern matched against the SANs and not the MX
> records themselves? As Viktor noted and I commented briefly in passing, we
> debated this a *lot* before. One point here is that this is only visible to
> MTA implementors; sysadmins who mistakenly believe the "mx" field should
> match the DNS records (which should themselves match the servers'
> certificates) will end up making their configurations valid per the actual
> specification. In other words, "match the policy against the SAN" matches a
> superset of conditions which are valid in the alternative ("match the
> policy against the MX records and match those records against the
> certificate"). Personally I would consider this edit to have been a
> compromise--it was not and is still not my first choice--but, given it is
> the status quo, I am fairly loath to change it.
> >
> > On these points--especially #2--I continue to defer to the guidance of
> the chairs on how best to resolve such issues.
>
> After having to revisit this in response to the DISCUSS, I can
> crystalize the issue in terms of the following dichotomy:
>
>    * Does MTA-STS secure the connections to the endpoints indicated
>      by a domain's MX RRset, without preempting MX-based SMTP routing?
>
> or
>
>    * Does MTA-STS secure the MX RRset, possibly filtering it to at
>      at most a set of names cached in the policy, with great care
>      to first take care of loop elimination.
>
> My sense is that the first option (current text) is a less invasive
> change in SMTP, it changes only how the peer is authenticated.
>
> For example, it "testing" mode, one probably SHOULD NOT trim the MX
> RRset based on a "testing" policy.  Or one might support multiple
> authentication mechanisms for the peer MX (say key fingerprint as
> a fallback of MTA-STS fails).
>
> There are more implications to filtering the RRset then just
> the presented-id matching...
>
> --
>         Viktor.
>
>

v2.23.0 | Report a Bug | By Email