IETF Logo Mail Archive

Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues

Klaus Frank <klaus.frank@posteo.de> Thu, 10 February 2022 16:41 UTC

Return-Path: <klaus.frank@posteo.de>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 261633A0C21 for <behave@ietfa.amsl.com>; Thu, 10 Feb 2022 08:41:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.1
X-Spam-Level:
X-Spam-Status: No, score=-7.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95B_r4s2Pm29 for <behave@ietfa.amsl.com>; Thu, 10 Feb 2022 08:41:51 -0800 (PST)
Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84DD93A0C1E for <behave@ietf.org>; Thu, 10 Feb 2022 08:41:51 -0800 (PST)
Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id CCF7B240026 for <behave@ietf.org>; Thu, 10 Feb 2022 17:41:47 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1644511307; bh=7KtETwE8ZHhKGN9UqgXgU5rkLzbbBC8UbcPbna7Nz5A=; h=Date:Subject:To:From:From; b=WFCEU2J6ReX4N2mOUQ/5eH8KhsCxK+7APo/wdI4t8fTK40OrkJgEqFeWMfvx1tMC/ 2C14Q4ACjkf9/tLX4gcRuWRqaxccz1LG8LTrLdTRkeIoVByEz6bRAnLus747j/G+/H RzLsODWNo4slQyGFnTJB8hSm2A4WTY8fEI2yWAiBSMs9JpPeU0hAjOJbfuuhWYCToh zkjnr+5w4kfTbURfaaUR3egqwPvPgIHAaKUmMg1DNODDCDzqbFd/JxoE/Nd4VWVya3 81qAIGiE+dGdGM5LiNcbvYT4bpvVT9Q//y7J2+YYHbl5xoSpGK5ZKqMCfnsF34Pkb7 jPmx+adbCezqw==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4JvjFQ5c7mz9rxF for <behave@ietf.org>; Thu, 10 Feb 2022 17:41:46 +0100 (CET)
Message-ID: <c4d9a8e5-0b4d-9abf-832d-5a72c8ee1391@posteo.de>
Date: Thu, 10 Feb 2022 16:41:44 +0000
MIME-Version: 1.0
Content-Language: de-DE
To: behave@ietf.org
References: <45e423cc-4095-cca2-bf8c-aa15e977b19c@posteo.de> <ff858dee-a21a-a50d-72a5-da7915ac2de4@network-heretics.com> <71b5cdb0-78af-0f77-debc-84e178fe5e3a@posteo.de> <7a008cc2-e8a3-f91d-c782-96866c36a9db@network-heretics.com> <ee760818-a3c4-3755-6bdf-afcec6fcaaad@posteo.de> <B7DFC369-E7B7-4171-9C85-F75986B5AEF6@gmail.com> <6123a322-e9a7-7f90-391f-9b4c4461ce45@network-heretics.com> <e95993e4-4166-4b3d-1637-8ca451b093b6@huitema.net> <7b7cf541-3387-6d0b-0fbe-273a08fd37ed@posteo.de> <0d18c171-f713-4590-d9a6-3c5729a3384c@huitema.net> <a4dbfa8c-abb4-e4e7-e53c-d7f54a2e5bf9@posteo.de> <50b919ba-22e5-cfd0-5e44-b905d42c50b7@it.uc3m.es> <8c10d7d6-ad60-2373-c809-1b75b8d1448c@huitema.net> <0f31d5ce-fae5-1673-3b9b-15341c8b052e@it.uc3m.es> <c38f50da-8a0f-c15e-2938-1d33c3620e50@huitema.net> <4b4ef08b-e08f-6e12-d884-211b0c74d9c7@it.uc3m.es> <bd0c66c5-527e-9af1-62c0-51398f8fc6ec@huitema.net>
From: Klaus Frank <klaus.frank@posteo.de>
In-Reply-To: <bd0c66c5-527e-9af1-62c0-51398f8fc6ec@huitema.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms030606090008050304000607"
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/7O79asKdpVz0JJOuG-Hq829I28c>
Subject: Re: [BEHAVE] RFC6147 and RFC7208 interoperability issues
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Feb 2022 16:41:56 -0000

On 2022-02-10 16:35, Christian Huitema wrote:
>
> On 2/9/2022 11:38 PM, marcelo bagnulo braun wrote:
>> El 10/2/22 a las 8:27, Christian Huitema escribió:
>>>
>>> On 2/9/2022 11:07 PM, marcelo bagnulo braun wrote:
>>>
>>>> El 7/2/22 a las 19:03, Christian Huitema escribió:
>>>>>
>>>>>
>>>>> On 2/6/2022 10:34 PM, marcelo bagnulo braun wrote:
>>>>>> El 7/2/22 a las 3:48, Klaus Frank escribió:
>>>>>>> The DNS64 server could be this secure DNS.
>>>>>>
>>>>>> This would consistent with the deployment scenario presented in 
>>>>>> section 7.1 of RFC6147. 
>>>>>
>>>>>
>>>>> Maybe. But the situation has changed since April 2011. ISPs cannot 
>>>>> any more assume that all hosts will be using the resolver embedded 
>>>>> in the NAT64 gateway -- some hosts, or some applications, may very 
>>>>> well use some alternate encrypted DNS service, e.g., using DoH and 
>>>>> connect to Quad9, Cloudflare or Google. The cases describe in 
>>>>> section 6 of RFC6147 are going to be more and more frequent. We 
>>>>> should make them work, and we should tell application developers 
>>>>> about that.
>>>>>
>>>> DNS64 doesnt have to be collocated withthe NAT64 box.
>>>>
>>>> The scenario 7.1 still holds in case the user is using an external 
>>>> reoslver, such as cloudflare. The thing is that the external 
>>>> resolver must then implement the DNS64.
>>>
>>> How does the external resolver know when it should implement DNS64 
>>> and when it shouldn't?
>>>
>>
>> I would assume that the external resolver provider makes public which 
>> resolver instances implement DNS64 and which do not and the clients 
>> select accordingly?
>>
>> I guess another alternative would be for the resolver to do dns64 for 
>> cusotmers connecting through IPv6 and obtain replies that return only 
>> A RR, but this sounds like a bad idea to me....
>
> I agree that having the cloud server try to guess whether the client 
> needs DNS64 or not is a recipe for trouble. This means the client will 
> have to connect to something like "dns64.example.net" instead of the 
> regular "dns.example.net". But then, that requires the client to 
> actively change the DNS resolver parameters because it "knows" that it 
> is behind a DNS64 gateway. And when we say client here, it may be some 
> application, not just the DNS resolver in the operating system. 
> Compared to that, changing the SPF code is rather simple: if the SPF 
> code complain that the source IP is not in the authorized MTA address 
> list, check whether the offending address starts with WKP, and if yes 
> check whether the IPv4 address embedded behind the WKP prefix is in 
> the authorized list.
And how would you push that change down the line via e.g. DHCP, mDNS or 
similar? That's what you can do with DNS64 servers but not with "NAT64 
wareness in code"
>
> -- Christian Huitema
>
>
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email