Mailing List Archive

> Ok, so back to my question of what should this match:
>
> "v=spf1 ip6:::FFFF:72.81.252.18 -all"
>
> You are saying that it is ok to sometimes give a Pass and sometimes to
> give a Fail?

That is what he said.

> Personally, I would rather not allow for inconsistent SPF results.
> Are there any SPF implementations that will give a pass on this, other
> than Julian's very recent one?

None that I am aware of.

Here is my judgement for the MUTUAL EXCLUSION position:

The language of the RFC says, "*Even* *if* the SMTP connection is via
IPv6, an IPv4 mapped IPv6 address MUST still be considered an
IPv4 address" (emphasis mine). The "even if" tells us to set aside
our natural inclination to regard the connection as IPv6, and regard it
as IPv4 *instead*. If the intention of the RFC was BOTH AND, the word
"even" would have been omitted. Wayne, the composer of the sentence
in question concurs.

Furthermore, the preceding sentence does not allow fetching BOTH
A and AAAA records - which is logically required by the BOTH AND
position. Therefore, the BOTH AND position, while theoretically
attractive from an IPv6 standpoint,

1) is incompatible with IP4 implementations that ignore IP6.
2) is logically inconsistent in matching ip6, but not fetching AAAA.
3) goes against the language of the RFC, specifically the "Even if" phrase.
4) has only one implementation and it was just completed this week.
5) seems to have only one proponent on SPF mailing lists.

The COMPROMISE party position is that implementations may choose whether
ip6:::FFFF:* should match an IP4 address. This position is untenable
because SPF results should be well defined, and not the receivers choice.
The receiver can choose what action to take in consequence, but not
the actual SPF result. Existing alternate results in the test-suite stem
from an explicit MAY or SHOULD in the RFC, or from precisely when DOS limits
are detected. The RFC does not have an explicit MAY or SHOULD for the
BOTH AND position, and IP6 is not a DOS situation.

It is important to nail down this issue since new SPF implementations
will be supporting IPv6. IP6 is gaining momentum in government at least,
and SPF needs to have solid support for it. An ugly, but predictable
IP6 policy is better than a more elegant, but randomly implemented
IP6 policy. So, while BOTH AND would have been prettier if it had
been thought of soon enough, we are stuck with RFC4408. I suggest that
the BOTH AND party make sure that SPFv3 gets it right.

Therefore, as test-suite czar, I declare the MUTUAL EXCLUSION party the
winner, and will remove the alternate (BOTH AND) results from the test
suite. This will likely make the just completed Mail::SPF Perl library
not in compliance, but preserves compliance for all other implementations.
(Unless someone can point out another BOTH AND implementation.)

All opposed, make your final arguments.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1007

Julian Mehnle wrote:

>>> I am currently with the mutual exclusion party.

>> +1 Julian's position runs into contradictions wrt A vs. AAAA and
>> dualcidr.

> How so?

As you've explained it yesterday in...
<http://permalink.gmane.org/gmane.mail.spam.spf.devel/1246>
...and as we've discussed it two weeks ago in...
<http://permalink.gmane.org/gmane.mail.spam.spf.devel/1231>

Frank


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1007

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Ellermann wrote:
> Julian Mehnle wrote:
> > > Julian's position runs into contradictions wrt A vs. AAAA and
> > > dualcidr.
> >
> > How so?
>
> As you've explained it yesterday in...
> <http://permalink.gmane.org/gmane.mail.spam.spf.devel/1246>
> ...and as we've discussed it two weeks ago in...
> <http://permalink.gmane.org/gmane.mail.spam.spf.devel/1231>

Well, yeah. But how is that a contradiction? The "A/AAAA dual look-up"
solution (which I haven't been advocating, by the way) may not be nice,
but it would certainly be doable and not contradictory in itself.

The dual prefix length syntax (we shouldn't have called it "CIDR length",
which is a bogus term) is really just a convenience feature. With SPFv1
generally supporting IPv6, we could just as well have said that there is
always only _one_ prefix length and that it is IPv6, and that for IPv4
addresses, ip6-cidr-length minus 96 should be used as the prefix length.

For practical purposes (we don't want to lose the readability of the dual
syntax after all, do we?), we could (and probably should) have said that
any IPv4/IPv6 prefix length combo must satisfy "ip4-cidr-length = ip6-
cidr-length - 96" or an error would be thrown. (Yes, some very odd setups
could no longer be expressed that way, but you already have the equivalent
problem with "v=spf1 a:foo/24", foo. A 192.168.0.1, foo. A 10.0.0.1.)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFbMMJwL7PKlBZWjsRAvZjAKDyfd9kG0tOu7OzMnilAz3vjRkcHwCgqkI4
bo4Z2TkP43/3NOFvgCBg42Y=
=TXq+
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1007

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Julian Mehnle wrote:
> Stuart D. Gathman wrote:
> > On Wed, 15 Nov 2006, Julian Mehnle wrote:
> > > In the Mail::SPF test-suite driver, I am currently skipping the
> > > "cidr6-0-ip4" and "cidr6-ip4" test cases. They assume that IPv4
> > > connections must never match the "ip6" mechanism, even if the IPv4
> > > connection comes in through an IPv6 interface. I discussed this
> > > with Wayne and Scott on #spf extensively, and it seems we cannot
> > > agree on a common interpretation of RFC 4408. Here's my
> > > rationale:
> > >
> > > Nowhere does RFC 4408 say that the "ip6" mechanism must not match
> > > IPv4 addresses. 5/9 saying "Even if the SMTP connection is via
> > > IPv6, an IPv4-mapped IPv6 IP address [...] MUST still be considered
> > > an IPv4 address" doesn't change that.
> >
> > Why do you make ip4 mapped ip6 connections match IP6, but not A or MX?
> > To be consistent, you should fail tests like a-cidr6-0-ip4mapped as
> > well:
> >
> > e2a.example.com:
> > - AAAA: 1234::1
> > - SPF: v=spf1 a//0 -all
> >
> > If ip4 mapped connections are considered as *both* ip4 and ip6, then
> > they should match the above a//0 mech as well. But your SPF lib
> > apparently passes the above test.
>
> You are right. I really should do _both_ "A" and "AAAA" lookups for
> IPv4-mapped IPv6 addresses in order to be consistent with my "ip6:"
> rationale.
>
> However, I need to think more about (1) whether such dual address
> lookups can be justified, and (2) whether there's perhaps a conceptual
> difference between "ip6:" and "a:" that would justify NOT being
> consistent in this regard. I'll let you know where my meditations lead
> me.

Here's my final position after having pondered all of this for a few days.

1. "ip6:::/0", "ip6:::ffff:n.n.n.n", and similar constructs in SPF records
should NOT be no-ops but should match connections from IPv4 addresses.
I acknowledge that RFC 4408 is not sufficiently explicit about what to
do, and I maintain that it DOES permit this interpretation of mine and
that...
a. otherwise, RFC 4408 would have had to explicitly state that "ip6:
::ffff:n.n.n.n/len" or "ip6:::ffff:x:x/len" are no-ops (bad!), or
even better, do throw a PermError. Note that the "ip6:::ffff:
n.n.n.n" syntax _is_ allowed by RFC 4408, and that
b. NOT having holes in "ip6:"'s IPv6 address space is "the right thing
to do" because it does what the IPv6-savvy SPF publisher expects.

2. It is sufficiently unlikely that domain owners would publish IPv4
addresses using AAAA records, so requiring SPF implementations to do
both A and AAAA look-ups for IPv4 connections, while theoretically the
most correct thing to do, is _way_ out of proportion and NOT necessary
in order to maintain consistency with the view that "IPv4-mapped IPv6
addresses are IPv6 addresses, too".

3. I thus request that the test-suite be changed to _require_, or at least
_allow_, that "ip6:" can match connections from IPv4 addresses, regard-
less (obviously!) whether the MTA implementing SPF uses an IPv4 socket
or an IPv6 socket. As I have said multiple times, this request is NOT
motivated by the desire to save some small percentage of development
effort, but because I believe it to be the right thing to do.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFbuHhwL7PKlBZWjsRAq4GAKCdIluUps6q4IU6Y0CZOZ7D7pAkqQCcDx88
irJvDbs8A4vPpwSH4Fvx3EE=
=0Nnh
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1007

On Thu, 30 Nov 2006, Julian Mehnle wrote:

> 3. I thus request that the test-suite be changed to _require_, or at least
> _allow_, that "ip6:" can match connections from IPv4 addresses, regard-
> less (obviously!) whether the MTA implementing SPF uses an IPv4 socket
> or an IPv6 socket. As I have said multiple times, this request is NOT
> motivated by the desire to save some small percentage of development
> effort, but because I believe it to be the right thing to do.

The 2006-11 test suite already does this. Since ip6:::FFFF:* is a noop
in the majority opinion, and is the preferred result, publishers won't have
any reason to use it, and there won't be any compatibility problems. :-)
I.e., you can maintain that ip6:::FFFF:* *ought* to match something,
but you can't depend on it until SPFv3 - when Julian will hopefully
ensure more elegant IP6 semantics for the next version.

Note that "can't depend on it" is *not* because I mulishly won't make Julians
interpretation the only one. It is because that is how all the existing
implementations save one work. It is how all IP4 only implementations work.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1007

On Thursday 30 November 2006 08:51, Julian Mehnle wrote:

> Here's my final position after having pondered all of this for a few days.
...

I disagree. Nothing new to be said, but I 'vote' against.

Scott K

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1007

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stuart D. Gathman wrote:
> On Thu, 30 Nov 2006, Julian Mehnle wrote:
> > 3. I thus request that the test-suite be changed to _require_, or at
> > least _allow_, that "ip6:" can match connections from IPv4 addresses,
> > regard- less (obviously!) whether the MTA implementing SPF uses an
> > IPv4 socket or an IPv6 socket. As I have said multiple times, this
> > request is NOT motivated by the desire to save some small percentage
> > of development effort, but because I believe it to be the right thing
> > to do.
>
> The 2006-11 test suite already does this. Since ip6:::FFFF:* is a noop
> in the majority opinion, and is the preferred result, publishers won't
> have any reason to use it, and there won't be any compatibility
> problems. :-) I.e., you can maintain that ip6:::FFFF:* *ought* to match
> something, but you can't depend on it until SPFv3 - when Julian will
> hopefully ensure more elegant IP6 semantics for the next version.
>
> Note that "can't depend on it" is *not* because I mulishly won't make
> Julians interpretation the only one. It is because that is how all the
> existing implementations save one work. It is how all IP4 only
> implementations work.

Please change or don't change the test suite as you see fit, given what has
been said in this thread. If you change it back to disallowing "ip6:"
matching IPv4 addresses, I will then either change Mail::SPF to conform or
keep overriding the relevant test cases (I haven't decided yet).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFbvsgwL7PKlBZWjsRAitiAKCpObm0b9n0rY33FyINlIhFIw/9ewCgn+XT
p3AKaV1dtszBCbIHQZncqKo=
=xM1f
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1007

In <200611301351.29872.julian@mehnle.net> Julian Mehnle <julian@mehnle.net> writes:

> Julian Mehnle wrote:
> Here's my final position after having pondered all of this for a few days.
>
> 1. "ip6:::/0", "ip6:::ffff:n.n.n.n", and similar constructs in SPF records
> should NOT be no-ops but should match connections from IPv4 addresses.
> I acknowledge that RFC 4408 is not sufficiently explicit about what to
> do, and I maintain that it DOES permit this interpretation of mine and
> that...
> a. otherwise, RFC 4408 would have had to explicitly state that "ip6:
> ::ffff:n.n.n.n/len" or "ip6:::ffff:x:x/len" are no-ops (bad!), or
> even better, do throw a PermError. Note that the "ip6:::ffff:
> n.n.n.n" syntax _is_ allowed by RFC 4408, and that

No, RFC would *not* have to explicitly say that something is a no-op.
The second "all" in "v=spf1 ?all ?all" is a no-op. RFC4408 even
mentions "tracking exists: mechanisms" which never change the SPF
result, although they aren't entirely no-ops. Having a "redirect="
with an "all" mechanism is also a no-op.

Heck, all multi-cast addresses in either ip4: or ip6: are no-ops too,
and that is much closer to this case.


> b. NOT having holes in "ip6:"'s IPv6 address space is "the right thing
> to do" because it does what the IPv6-savvy SPF publisher expects.

Sorry, but there are already many holes in the IPv6 address space.


> 2. It is sufficiently unlikely that domain owners would publish IPv4
> addresses using AAAA records, so requiring SPF implementations to do
> both A and AAAA look-ups for IPv4 connections, while theoretically the
> most correct thing to do, is _way_ out of proportion and NOT necessary
> in order to maintain consistency with the view that "IPv4-mapped IPv6
> addresses are IPv6 addresses, too".

Do a google search on "IPv4-mapped AAAA" and see how many people
disagree with this claim.


> 3. I thus request that the test-suite be changed to _require_, or at least
> _allow_, that "ip6:" can match connections from IPv4 addresses, regard-
> less (obviously!) whether the MTA implementing SPF uses an IPv4 socket
> or an IPv6 socket. As I have said multiple times, this request is NOT
> motivated by the desire to save some small percentage of development
> effort, but because I believe it to be the right thing to do.

I think that creating a gratuitous ambiguity for no gain is wrong. I
think requiring your intperetation of the spec would be horrible.

I can not support anything other than saying that for SPF, IPv4 and
IPv6 addresses spaces are mutually exclusive.


-wayne

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1007