Categories
IPV6

Completing the Transition to Internet Protocol Version 6 (IPv6)

If the federal government can do #IPv6, why can’t you?

https://www.whitehouse.gov/wp-content/uploads/2020/11/M-21-07.pdf announced on 19.Nov. 2020

Develop an IPv6 implementation plan by the end of FY 2021, and update the Information Resources Management (IRM) Strategic Plan  as appropriate, to update all networked Federal information systems (and the IP-enabled assets associated with these systems) to fully enable native IPv6  operation. The plan shall describe the agency transition process and include the following milestones and actions: 12

  1. At least 20% of IP-enabled assets on Federal networks are operating in IPv6-only environments by the end of FY 2023
  2. At least 50% of IP-enabled assets on Federal networks are operating in IPv6-only environments by the end of FY 2024
  3. At least 80% ofIP-enabled assets on Federal networks are operating in IPv6-only environments by the end of FY 2025 and
  4.  Identify and justify Federal information systems that cannot be converted to use IPv6 and provide a schedule for replacing or retiring these systems;

See details in linked pdf

Lets see if that happens as planned

Categories
acme certificates web security web tools

Apple strong-arms entire CA industry into one-year certificate lifespans

 
Apple, Google, and Mozilla reduce the lifespan for HTTPS certificates to 398 days, against the wishes of Certificate Authorities.
Following Apple’s initial announcement, Mozilla and Google have stated similar intentions to implement the same rule in their browsers.
Starting with September 1, 2020, browsers and devices from Apple, Google, and Mozilla will show errors for new TLS certificates that have a lifespan greater than 398 days
https://www.zdnet.com/article/apple-strong-arms-entire-ca-industry-into-one-year-certificate-lifespans/
 
For IT Departments this means we need to invest into automation of the whole certificates process (CSR, install, renew, DH). No email work flows, no manual processes.
Usage of ACME with pre and post installation hooks, dns validation will become now finally mandatory
 
About upcoming limits on trusted certificates
In our ongoing efforts to improve web security for our users, Apple is reducing the maximum allowed lifetimes of TLS server certificates.
What’s changing
TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days.
This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Additionally, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change.
Connections to TLS servers violating these new requirements will fail. This might cause network and app failures and prevent websites from loading.
Categories
IPV6

Progess at A1.net AS8447 on A1 Kombi Customers

In Austria you can have wired phone line with ADSL Data.
Normally plain IPv4. But now partly also with Dualstack.
Example: Near Graz/Austria
IPv4: Good, AS12793 – A1-TELEKOM-AT A1 Telekom Austria AG
IPv6: Good, AS8447 – TELEKOM-AT A1 Telekom Austria AG
IPv4 address: 217.149.162.209
IPv6 address: 2001:871:64:ca:b8a6:cb7:2a6b:cbb0

The PCs get IPv6 addresses and get working connection.
Cavats: No working DNS via IPv6
Hotline does not know why it works, nor customer gets information.
DNS servers kdns1.highway.telekom.at, kdns2.highway.telekom.at, kdns3.highway.telekom.at for reverse DNS are IPv4 only.
https://stat.ripe.net/2001%3A871%3A64%3Aca%3Ab8a6%3Acb7%3A2a6b%3Acbb0#tabId=at-a-glance

No way to order that for mine ADSL Kombi, nor to get a product information.

So progress, but to completed

#ipv6 #Österreich #austria  @A1Telekom

Categories
Uncategorized

Homeoffices use more IPv6 then enterprises

Categories
dualstack IPV6 smtp

Detecting phishing with spf macros

I run a test domain andritz.me with dual stack and mail enabled

SMTP server

ns.andritz.me 185.77.254.8 and 2a05:6740:40c0:4000:0:0:0:53

SPF record:

v=spf1 exists:i.%{i}.h.%{h}.o.%{o}.spf.andritz.me -all
%{ir} is replaced by the IP address of the sender
%{o} is replaced by the domain of the sending client
%{h} is replaced by the HELO/EHLO domain ns.andritz.me

So i need DNS entries for the exist queries according to https://tools.ietf.org/html/rfc7208

see 7.2. Macro Definitions

   The following macro letters are expanded in term arguments:

      s = <sender>
      l = local-part of <sender>
      o = domain of <sender>
      d = <domain>
      i = <ip>
      p = the validated domain name of <ip> (do not use)
      v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
      h = HELO/EHLO domain

But be careful to those IP addresses in reverse notation

https://tools.ietf.org/html/rfc7208#page-32 ( examples of macro expansion, i donot use %v

i.8.254.77.185.h.andritz.me.o.ns.andritz.me.spf.andritz.me

i.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.andritz.me.o.ns.andritz.me.spf.andritz.me.

Both entries need to exist for each mailserver and respond to a A ( also for ipv6) query with any but valid value.

DNS A records are limited <250 characters )

https://www.kitterman.com/spf/validate.html you can use ipv4 or ipv6

02-Jan-2020 10:44:51.453 queries: info: client @0x7f3f30101180 66.39.4.57#8213 (0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.565 queries: info: client @0x7f3f30101180 66.39.4.57#2706 (5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.676 queries: info: client @0x7f3f30101180 66.39.4.57#1561 (6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.788 queries: info: client @0x7f3f30101180 66.39.4.57#40533 (7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:51.899 queries: info: client @0x7f3f3011e0a0 66.39.4.57#30752 (4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.011 queries: info: client @0x7f3f3011e0a0 66.39.4.57#3741 (0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.122 queries: info: client @0x7f3f3011e0a0 66.39.4.57#32473 (4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.234 queries: info: client @0x7f3f3011e0a0 66.39.4.57#20129 (0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.347 queries: info: client @0x7f3f3011e0a0 66.39.4.57#59149 (c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.459 queries: info: client @0x7f3f3011e0a0 66.39.4.57#57085 (0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.571 queries: info: client @0x7f3f3011e0a0 66.39.4.57#23099 (4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.683 queries: info: client @0x7f3f3011e0a0 66.39.4.57#26783 (0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.795 queries: info: client @0x7f3f3011e0a0 66.39.4.57#59831 (0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:52.907 queries: info: client @0x7f3f3011e0a0 66.39.4.57#11262 (0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.019 queries: info: client @0x7f3f3011e0a0 66.39.4.57#49170 (0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.131 queries: info: client @0x7f3f3011e0a0 66.39.4.57#27116 (0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.243 queries: info: client @0x7f3f3011e0a0 66.39.4.57#55092 (0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.355 queries: info: client @0x7f3f3011e0a0 66.39.4.57#33274 (0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.467 queries: info: client @0x7f3f3011e0a0 66.39.4.57#23164 (0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.581 queries: info: client @0x7f3f3011e0a0 66.39.4.57#13752 (0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:53.807 queries: info: client @0x7f3f3011e0a0 66.39.4.57#53153 (0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.034 queries: info: client @0x7f3f3011e0a0 66.39.4.57#49398 (0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.372 queries: info: client @0x7f3f3011e0a0 66.39.4.57#2880 (0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.714 queries: info: client @0x7f3f3011e0a0 66.39.4.57#24045 (3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: 3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN DS -E(0)D (185.77.254.8)
02-Jan-2020 10:44:54.941 queries: info: client @0x7f3f3011e0a0 66.39.4.57#55280 (i.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me): query: i.3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.0.c.0.4.0.4.7.6.5.0.a.2.h.ns.andritz.me.o.andritz.me.spf.andritz.me IN A -E(0)D (185.77.254.8)

Other information found

https://spf-all.com/stats.html Currently only very domains utilzed that phishing protection.

https://duo.com/labs/tech-notes/detecting-phishing-with-spf-macros

https://www.dmarcanalyzer.com/spf/checker/