Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64
"Dan Wing" <dwing@cisco.com> Tue, 12 May 2009 01:59 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 78ECA28C179 for <behave@core3.amsl.com>; Mon, 11 May 2009 18:59:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.24
X-Spam-Level:
X-Spam-Status: No, score=-6.24 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aUMYZckSAK5i for <behave@core3.amsl.com>; Mon, 11 May 2009 18:59:16 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 07C273A6C44 for <behave@ietf.org>; Mon, 11 May 2009 18:59:16 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.41,178,1241395200"; d="scan'208";a="184039216"
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-1.cisco.com with ESMTP; 12 May 2009 02:00:47 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id n4C20lot024766; Mon, 11 May 2009 19:00:47 -0700
Received: from dwingwxp01 ([10.32.240.197]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id n4C20lLE022949; Tue, 12 May 2009 02:00:47 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Rémi Després' <remi.despres@free.fr>, 'Behave WG' <behave@ietf.org>
References: <4A02B8B9.1000905@free.fr>
Date: Mon, 11 May 2009 19:00:47 -0700
Message-ID: <021f01c9d2a5$778ee4e0$c5f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
In-Reply-To:
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Thread-Index: AcnO/yY4v9nyq6xuSWqA5yf/uDQFYgAT9XqQANVW7fA=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4345; t=1242093647; x=1242957647; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20DNSsec=20in=20IPv6-only-hosts=20=20&=20 discarding=20=20mapped=20AAAAs=20in=20DNS64 |Sender:=20; bh=U7dS5Eq0KZ1n+az3P80X41UYYxje3Pg7YfeaGp80v7Q=; b=TvCWnFZ9O64OgrDN3y48PPBQ3H1IouiT41XNsOSk8TejaevAfp4tcN85gB wnn5bz0t4YnvpLvQbQisG93e4Vv9BssGlxczp2rRcSeKiLwxY5UXKdoujgjS 6b0zc2nkYB;
Authentication-Results: sj-dkim-4; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Subject: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2009 01:59:17 -0000
Rémi, I have one more question about using v4-mapped as the well-known prefix for the 6/4 translator. It appears, based on Iljitsh's testing last summer [1] that when Windows Vista or MacOS Leopard are configured as IPv6-only (that is, no IPv4 address), they won't send a v4-mapped IPv6 packet at all. This seems a problem for using v4-mapped as the well-known prefix of the IPv6/IPv4 translator. [1] http://www.ietf.org/mail-archive/web/int-area/current/msg01476.html I do wonder, however, if configuring those hosts for IPv4 just to know about 127.0.0.1 would be sufficient for their IP stacks to emit v4-mapped IPv6 addresses. Iljitsch, would you have time to test that idea, or would you know off-hand the answer from previous testing you did? -d > -----Original Message----- > From: Dan Wing [mailto:dwing@cisco.com] > Sent: Thursday, May 07, 2009 1:16 PM > To: 'Rémi Després'; 'Behave WG' > Subject: RE: DNSsec in IPv6-only-hosts & discarding mapped > AAAAs in DNS64 > > > > > -----Original Message----- > > From: Rémi Després [mailto:remi.despres@free.fr] > > Sent: Thursday, May 07, 2009 3:32 AM > > To: Dan Wing; Behave WG > > Subject: Re: DNSsec in IPv6-only-hosts & discarding mapped > > AAAAs in DNS64 > > > > Dan Wing - le (m/j/a) 5/7/09 3:26 AM: > > > So, this means > > > > > > 1. all networks deploying a translator for IPv6-initiated > scenarios > > > (Scenario 1 and Scenario 5) would have to use the > well-known prefix > > > > A. > > The scenario being discussed is "connecting an IPv6 network > > to the IPv4 > > Internet", i.e. scenario (2) in Fred's draft on the Translation > > Framework. (I must confess I am confused with scenarios > identified by > > numbers: Fred has only 4 of them.) > > Yes, sorry about that. > > I was going with the 4 we have in the charter, > http://www.ietf.org/html.charters/behave-charter.html, and the > other two defined by Dave Thaler in the Doodle poll, > http://www.doodle.com/participation.html?pollId=9qsdgt8r6kqk6zty > > Our soon-to-be-updated charter will have all 6, because at > the San Francisco meeting the clear consensus was to work on > all 6. > > > B. > > A network deploying a translator for IPv6-initiated scenarios should > > route to its NAT64s all packets whose destination start with: > > - the prefix(es) chosen by the ISP for its NAT64s (an ISP-specific > > prefix and/or, if a WKP different from that of mapped addresses is > > standardized, this WKP ) > > Ok. > > > - the mapped address prefix (or at least its 64 first bits, > > i.e. ::/64, > > if /96 prefixes are not routed) > > > > > 2. all existing dual-stack hosts would see these published AAAA > > > record, which would require those hosts to use a > translator if the > > > host OS or its application prefer IPv6 over IPv4. What > happens if > > > there isn't a translator available to that user or its > > > performance is poor? > > > > When mapped-address AAAAs start being published, dual-stack > hosts are > > expected to send datagrams having mapped addresses as destinations: > > - in IPv4 if an IPv4 address is available at the interface > > - in IPv6 otherwise (and then require a NAT64 to be provided > > by the ISP) > > Ok, thanks. > > So, I believe the timeframes would be aligned: An ISP that offers > only IPv6 addresses to subscribers will need to operate a translator > to access IPv4 anyway. > > > > Are there other impacts, too? > > > > DNS64s: > > - as long as dual-stack hosts cannot be expected to act as > specified > > above, MUST discard mapped address records; > > We would like dual-stack hosts to prefer native connectivity (rather > than translated connectivity). > > > - after that, SHOULD forward them, at least if they are > DNSsec signed. > > > > IPv6-only applications should not artificially block mapped > addresses > > destinations. > > So applications and host OSs should ignore > draft-itojun-v6ops-v4mapped-harmful, correct? > > > Does this answer your questions? > > Yes, thanks. Much clearer now. > > And I see how this could work now. > > -d >
- [BEHAVE] DNSsec in IPv6-only-hosts & discarding m… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xu Xiaohu
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xu Xiaohu
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Mark Andrews
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Brian E Carpenter
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Dan Wing
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xu Xiaohu
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Dan Wing
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… William Waites
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Dan Wing
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… William Waites
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… William Waites
- [BEHAVE] Question on DNS64 Gabor Bajko
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xuewei Wang
- Re: [BEHAVE] Question on DNS64 Dave Thaler