IETF Logo Mail Archive

Re: [BEHAVE] Question on embedded address format in draft-baker-behave-v4v6-framework-02

Rémi Després <remi.despres@free.fr> Thu, 30 April 2009 07:18 UTC

Return-Path: <remi.despres@free.fr>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A87643A6784 for <behave@core3.amsl.com>; Thu, 30 Apr 2009 00:18:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.058
X-Spam-Level:
X-Spam-Status: No, score=-1.058 tagged_above=-999 required=5 tests=[AWL=-0.349, BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lMS-7TginOuU for <behave@core3.amsl.com>; Thu, 30 Apr 2009 00:18:21 -0700 (PDT)
Received: from smtp1-g21.free.fr (smtp1-g21.free.fr [212.27.42.1]) by core3.amsl.com (Postfix) with ESMTP id 635AB3A657C for <behave@ietf.org>; Thu, 30 Apr 2009 00:18:19 -0700 (PDT)
Received: from smtp1-g21.free.fr (localhost [127.0.0.1]) by smtp1-g21.free.fr (Postfix) with ESMTP id 6A385940174; Thu, 30 Apr 2009 09:19:38 +0200 (CEST)
Received: from RD-Mac.local (per92-10-88-166-221-144.fbx.proxad.net [88.166.221.144]) by smtp1-g21.free.fr (Postfix) with ESMTP id 0DA51940014; Thu, 30 Apr 2009 09:19:36 +0200 (CEST)
Message-ID: <49F95104.5010004@free.fr>
Date: Thu, 30 Apr 2009 09:19:32 +0200
From: Rémi Després <remi.despres@free.fr>
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: Iljitsch van Beijnum <iljitsch@muada.com>
References: <D109C8C97C15294495117745780657AE0B8E2371@ftrdmel1> <55CFDB58-ADD2-460E-9142-87F28E44506E@cisco.com> <49E8CFD9.40904@it.uc3m.es> <49ED219C.1070202@gmail.com> <49EDD647.3060500@free.fr><49EDD750.1070502@network-heretics.com> <49EDDC57.1060302@free.fr><49EE1507.9090306@network-heretics.com><49EEC270.7040607@free.fr> <49EEDADA.8040906@it.uc3m.es><49EF1888.5020302@free.fr> <49EF1D4B.5050300@it.uc3m.es><49EF5017.5030409@free.fr> <49EF6F5D.2010306@it.uc3m.es><49F032DE.3060604@free.fr> <49F03BB4.9050103@it.uc3m.es><49F074D4.2070006@free.fr> <49F07ACF.9000505@it.uc3m.es><49F1D55E.6000003@free.fr> <0C02E699-3F36-4C04-AEB8-59E78D49B827@muada.com> <02ca01c9c533$e8f14620$c5f0200a@cisco.com> <49F25FCB.5040500@network-heretics.com> <49F5E83A.9020 101@free.fr> <051301c9c760$f13d15f0$c5f0200a@cisco.com> <49F6A398.4040207@f ree.fr> <084901c9c82a$890445b0$c5f0200a@cisco.com> <49F805D0.1010200@free.fr> <7D805B55-0019-49BF-9E96-46E3962BC51A@muada.com>
In-Reply-To: <7D805B55-0019-49BF-9E96-46E3962BC51A@muada.com>
Content-Type: text/plain; charset="ISO-8859-15"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: Behave WG <behave@ietf.org>
Subject: Re: [BEHAVE] Question on embedded address format in draft-baker-behave-v4v6-framework-02
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2009 07:18:22 -0000

Iljitsch van Beijnum  -  le (m/j/a) 4/29/09 8:34 PM:
> On 29 apr 2009, at 9:46, Rémi Després wrote:
> 
>> If these OSes send mapped addresses on the wire when their dual
>> stack has IPv4 enabled, they don't comply with RFC 2553 sec 3.7:
> 
> They don't, they send IPv4 packets, if anything.

Good remark.
A better statement to support the proposal could have been:
"If they have IPv4 enabled, dual stack OSes that comply with RFC 2553 
sec 3.7 send IPv4 packets when  mapped-address destinations are 
presented to their IPv6 socket interfaces".


>> The important point though, is IMHO that, in addition to alignment
>> of OSes with RFC 2553, DNS64s SHOULD in the short term replace
>> mapped addresses by addresses in the provider range
> 
> So what you want is that:
> 
> 1. ::ffff:0:0/96 becomes the NAT64 WKP 2. People running IPv4-only
> hosts put ::ffff:a.b.c.d AAAA records in the DNS 3. People running
> IPv6-only deploy NAT64s and DNS64s 4. DNS64s translate these AAAA
> records into a local (provider address space) NAT64 AAAA record

Yes, this is what I propose, with a few more details on when to do what, 
in a previous answer to Keith Moore (ref. 
www.ietf.org/mail-archive/web/behave/current/msg05890).


> 
> But what about people who run dual stack, and thus have no use for
> NAT64 and thus not for a DNS64? They would see the ::ffff:0:0/96
> addresses, which may get them to send normal IPv4 packets but there's
> also a good change that it won't.

- If they have IPv4 enabled they don't need NAT64.
- If they only their non-updated OSes are assigned only IPv6 addresses 
without having also NAT64s and DNS64s operational, they have no way to 
reach IPv4-only hosts, independently of which DNS RRs are where.

(If an IPv6-only network has to permit non-updated hosts to reach 
IPv4-only servers, it MUST have NAT64s and DNS64s.)

> For instance, the "mapped on the wire harmful" meme has been
> percolating for half a decade and I'm willing to bet that at least
> the NetBSD people filter this out in some way.

This may be the case, but, if my proposal is accepted, this can be fixed 
before mapped DNS64s need to stop translating mapped AAAAs into ISP 
specific NAT64 prefixes (i.e. before IPv6-only to IPv4 connectivity has 
to be reconciled with DNSsec).


> Also, this is completely unnecessary. The DNS64 can create the fake
> AAAA records from the A records just as easily as from mapped AAAA
> records,
> 
>> These DNS64s should also be ready to disable this replacement when 
>> DNSsec compatibility becomes desirable.

1. The proposal is not that DNS64s stop making synthetic AAAAs with 
ISP-specific prefixes when they do it with received As, it is that they 
ALSO do it with received AAAAs.

2. In my understanding, if (1) DNS64s stop making synthetic AAAAs, (2)
IPv4-only servers have no AAAAs in their DNS servers, then IPv6-only to 
IPv4-only connectivity is broken.


> A much simpler way to be compatible with DNSSEC is to simply update
> the DNSSEC validators. Since the DNS64 functionality is new, having
> an integrated DNS64/DNSSEC validator is not a deployment issue.
> DNSSEC validation on the hosts is virtually non-existant, so
> requiring an update to those is not the worst thing in the world and
> certainly easier than upgrading all IPv6 stacks to change their
> mapped address behavior.

In my understanding, if an intermediate DNS64 makes synthetic AAAAs, it 
necessarily breaks the DNSsec provided guarantee that an RR that is 
received does come from the DNS server of the host it points to.


> Note by the way that the idea of mapping the ::ffff:0:0/96 prefix to
> the NAT64 prefix has some merit, I've suggested things along these
> lines a while ago.

This IMHO supports that time has come to revisit this subject, to be 
sure very carefully, but without any paralyzing taboo.


> If a host doesn't have IPv4 connectivity it could perform this
> mapping, which has the advantage that real A records can be used and
> that the host thinks it's doing IPv4, not IPv6, so it can do stuff 
> like enabling IPv4 NAT traversal. But this should be done in the
> host, which knows if there is IPv4 connectivity or not.
> 
> On the other hand, may as well use the softwire stuff for this...

The SAM approach is proposed separately is IMHO in this direction, but 
this is another objective. The scenario for which specification of 
NAT64s and DNS64s is considered is, in my understanding, that of 
IPv4-only servers being reached by non-updated IPv6-only hosts 
(including by non-updated dual stack hosts having IPv6-only addresses).

Regards,

RD

v2.23.0 | Report a Bug | By Email