Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64
"Dan Wing" <dwing@cisco.com> Thu, 07 May 2009 20:14 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1CD473A69E4 for <behave@core3.amsl.com>; Thu, 7 May 2009 13:14:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.238
X-Spam-Level:
X-Spam-Status: No, score=-6.238 tagged_above=-999 required=5 tests=[AWL=0.061, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vAiyBormglhN for <behave@core3.amsl.com>; Thu, 7 May 2009 13:14:23 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 02C8C3A683D for <behave@ietf.org>; Thu, 7 May 2009 13:14:23 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.40,312,1238976000"; d="scan'208";a="182455089"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 07 May 2009 20:15:51 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n47KFpi6006771; Thu, 7 May 2009 13:15:51 -0700
Received: from dwingwxp01 ([10.32.240.197]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n47KFpfZ017745; Thu, 7 May 2009 20:15:51 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Rémi Després' <remi.despres@free.fr>, 'Behave WG' <behave@ietf.org>
References: <4A02B8B9.1000905@free.fr>
Date: Thu, 07 May 2009 13:15:51 -0700
Message-ID: <004701c9cf50$9e3f1f40$c5f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <4A02B8B9.1000905@free.fr>
Thread-Index: AcnO/yY4v9nyq6xuSWqA5yf/uDQFYgAT9XqQ
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3023; t=1241727351; x=1242591351; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20DNSsec=20in=20IPv6-only-hosts=20=20&=20 discarding=20=20mapped=20AAAAs=20in=20DNS64 |Sender:=20; bh=j8QYhWYCUg4tZkenlB8ayiltSS1yVf1UW4K1obnFP1w=; b=PC8Gn6chWOMMAs3VM6hBNfGGWZnbZ6damLhjaud4wwDwIaHfRFLv2oMBtL q6ctkQ5oba0B+VSzCctEmCi1m/DFkfPF/iOTOpCnMHlb6ohBMEu8bpH6S7kz Uj50fQ5kXQ;
Authentication-Results: sj-dkim-3; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Subject: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2009 20:14:24 -0000
> -----Original Message----- > From: Rémi Després [mailto:remi.despres@free.fr] > Sent: Thursday, May 07, 2009 3:32 AM > To: Dan Wing; Behave WG > Subject: Re: DNSsec in IPv6-only-hosts & discarding mapped > AAAAs in DNS64 > > Dan Wing - le (m/j/a) 5/7/09 3:26 AM: > > So, this means > > > > 1. all networks deploying a translator for IPv6-initiated scenarios > > (Scenario 1 and Scenario 5) would have to use the well-known prefix > > A. > The scenario being discussed is "connecting an IPv6 network > to the IPv4 > Internet", i.e. scenario (2) in Fred's draft on the Translation > Framework. (I must confess I am confused with scenarios identified by > numbers: Fred has only 4 of them.) Yes, sorry about that. I was going with the 4 we have in the charter, http://www.ietf.org/html.charters/behave-charter.html, and the other two defined by Dave Thaler in the Doodle poll, http://www.doodle.com/participation.html?pollId=9qsdgt8r6kqk6zty Our soon-to-be-updated charter will have all 6, because at the San Francisco meeting the clear consensus was to work on all 6. > B. > A network deploying a translator for IPv6-initiated scenarios should > route to its NAT64s all packets whose destination start with: > - the prefix(es) chosen by the ISP for its NAT64s (an ISP-specific > prefix and/or, if a WKP different from that of mapped addresses is > standardized, this WKP ) Ok. > - the mapped address prefix (or at least its 64 first bits, > i.e. ::/64, > if /96 prefixes are not routed) > > > 2. all existing dual-stack hosts would see these published AAAA > > record, which would require those hosts to use a translator if the > > host OS or its application prefer IPv6 over IPv4. What happens if > > there isn't a translator available to that user or its > > performance is poor? > > When mapped-address AAAAs start being published, dual-stack hosts are > expected to send datagrams having mapped addresses as destinations: > - in IPv4 if an IPv4 address is available at the interface > - in IPv6 otherwise (and then require a NAT64 to be provided > by the ISP) Ok, thanks. So, I believe the timeframes would be aligned: An ISP that offers only IPv6 addresses to subscribers will need to operate a translator to access IPv4 anyway. > > Are there other impacts, too? > > DNS64s: > - as long as dual-stack hosts cannot be expected to act as specified > above, MUST discard mapped address records; We would like dual-stack hosts to prefer native connectivity (rather than translated connectivity). > - after that, SHOULD forward them, at least if they are DNSsec signed. > > IPv6-only applications should not artificially block mapped addresses > destinations. So applications and host OSs should ignore draft-itojun-v6ops-v4mapped-harmful, correct? > Does this answer your questions? Yes, thanks. Much clearer now. And I see how this could work now. -d
- [BEHAVE] DNSsec in IPv6-only-hosts & discarding m… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xu Xiaohu
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xu Xiaohu
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Mark Andrews
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Brian E Carpenter
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Dan Wing
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xu Xiaohu
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Dan Wing
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… William Waites
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Dan Wing
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… William Waites
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… William Waites
- [BEHAVE] Question on DNS64 Gabor Bajko
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xuewei Wang
- Re: [BEHAVE] Question on DNS64 Dave Thaler