spf-discuss
[Top] [All Lists]

Re: Re: [ietf-clear] Re: Make CSV backwards compatible with legacy SPF records?

2004-12-02 00:00:45
On 11/18/04 10:44 AM, "wayne" <wayne(_at_)midwestcs(_dot_)com> wrote:
Now, the folks involved with CSV (Dave C, John L, Doug O, etc.) claim
that checking the HELO domain against SPF records isn't as good as
doing CSV checks.
...
Can you explain the difference to me?

Is this difference significant enough to justify having all your
whitelisted domains implement two very similar systems?...


I'm going to try to keep this in the realm of "compare SPF to CSV for this purpose" and stay away from the "Is CSV good or bad" side of things. Keep me honest ok? :)

My opinion is: No, for the purposes of whitelisting, SPF and CSV work similarly.

My understanding of whitelisting:
 Quickly determine if the IP of the client goes with the HELO name
 Quickly determine if a name is on the OK list
 Manage the list of allowed names easily (e.g. by domain suffix)

My understanding of CSV as it relates to whitelisting:
 Can determine if the IP of the client goes with the HELO name

My understanding of SPF as it relates to whitelisting:
 Can determine if the IP of the client goes with the HELO name

CSV's proponents have made the point that since CSV has a much more limited application (i.e. it *only* does HELO name::ip correlation) that this therefore means it is inherently better for the applications it does support. The argument goes something like, since it only does that one job, it's easier to configure for that, and less likely to give you confusion and heartburn by having other features as well. I don't quite buy this line of reasoning, but perhaps I'm not understanding it completely.


--Matthew Elvey <matthew(_at_)elvey(_dot_)com> wrote:
Here are some simple explanations of why checking the HELO domain against
SPF records isn't as good as doing CSV checks.

This coming from someone who thinks it's a good idea to try (and thinks
he came up with the idea) but recognizes it has weaknesses, which I've
attempted to address a long time ago in this thread.  I believe
standardizations I suggested address most but not all of them.


I would totally agree with you here. I think it's to everyone's advantage to try. If it works as well (or mostly as well) everyone wins.

I. Surely, you understand that the SPF record discovery algorithm is
inherently less efficient/more costly than CSV's.  That's obvious, no?
How many DNS queries does it take to resolve elvey.com's SPF record to a
list of IPs?  A dozen or so?


This line of reasoning (IMO) breaks down to something like:
CSV is simpler because it has fewer moving parts (some might say "fewer features")
 You need a way to associate names to IPs for your HELO name
 As simple as you need, but no simpler.

Good argument, but it hinges on a fourth crucial point:
 User wants HELO name protected, and nothing else.

That is, if you want whitelisting for your HELO name and you DON'T want MAIL FROM protection or any other SPF features, you implementr CSV and don't implement SPF and it's a simpler solution. Less moving parts.

On the other hand, if you want MAIL FROM or any other SPF features, you will want to implement SPF, not SPF and also CSV. Meaning that if you believe that simplicity and fewer moving parts is of paramount importance, CSV is your thing. If you want the other features too, SPF is your thing.

The trouble is that it isn't a decision you can make by just shopping for the right thing for your needs, like you can with shrinkwrapped software. It's all about interoperability, so as a big player you need to decide which protocol serves most of the needs of most of the people the best.

I submit that simplicity is not the paramount issue when dealing with protocols. A wide variety of users will want a wide variety of features.


II. Here are some simple, concrete examples of where checking the HELO
domain against SPF records isn't as good as doing CSV checks.

1)The
domain owner used an SPF wizard (M$' or pobox's) to create an SPF record.
The wizards are buggy.  They don't take steps to ensure that the owner
creates an SPF record that will match the HELO domains his servers use.

I would agree that this is true. I think it's easy to fix, once more people get interested in whitelisting by HELO name.

 2)The SPF record contains ?all, or ?ip4:.  We need a standard that
defines whether these should be ignored.  (IMO, yes)

I don't see how ?mechanism: is a problem. CSV has an "unknown" mode too, correct? Is it the unknown mode in general that's the issue, or that you think the rules should be different when looking for a HELO match?


 3)The SPF record contains +all.  We need a standard that defines whether
this should be ignored. (IMO, yes)

 4)The SPF record contains +63.0.0.0/5, or +63.0.0.0/8, or +63.0.0.0/16
or +63.0.0.0/24.  We need a standard that defines whether these should be
ignored. (discussed earlier in this thread.)   5) Because of issues such
as 1-4, and others, a CSV record is more amenable to being the basis of
accreditation and reputation.

What?  I don't get it, probably for the same reasons as #2...?


III. SPF provides no mechanism for determining how to determine a
domain's reputation. CSV does.


Wait a second, I didn't see that in the draft I read. Anyway I'm confining myself to whitelisting right now, not reputation.


Note, there are other *important* differences (SPF checks against HELO
are  inherently much more vulnerable to DNS security attacks than CSV;

I don't personally think this is actually true, but for the sake of argument I'll concede that it might be true. Not the most important factor by a long shot, but might be true.

the meaning of "checking the HELO domain against SPF records" is vague;

It needn't be. If we decide to use SPF HELO as a criteria for whitelisting, then the maintainer of the list can add only those domains that the domain owner indicate are going to be used in the agreed-on fashion. For example they would probably not want to whitelist *.example.net, but they might want to whitelist *.outmx.example.net instead.

The "meaning" of the SPF check itself is an assertion that the use of X name by Y IP is allowed. CSV has the added assertion that "using this IP as an SMTP client is OK per the domain owner". SPF has the added assertion that "this IP is allowed to use the name as HELO or MAIL FROM". Any additional subjective meaning (like what the domain owner agrees to by submitting his domain to the whitelist owner) is not covered by either.

a
CSV record is more amenable to being the basis of accreditation and
reputation ...)

This is either begging the question (A because A) or there is some information implied but missing. Is CSV inherently better for accreditation because it doesn't have extra modifiers like "accredit="?


IMO, a relatively readable explanation of some of these
objections and more can be found at:
http://www.csvmail.org/email-authentication-summit-comments-P044411.pdf ,
but it's not as clear as I. - III.

I will take a look at that.

--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>