IETF Logo Mail Archive

Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64

"Dan Wing" <dwing@cisco.com> Tue, 12 May 2009 01:59 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 78ECA28C179 for <behave@core3.amsl.com>; Mon, 11 May 2009 18:59:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.24
X-Spam-Level:
X-Spam-Status: No, score=-6.24 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aUMYZckSAK5i for <behave@core3.amsl.com>; Mon, 11 May 2009 18:59:16 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 07C273A6C44 for <behave@ietf.org>; Mon, 11 May 2009 18:59:16 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.41,178,1241395200"; d="scan'208";a="184039216"
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-1.cisco.com with ESMTP; 12 May 2009 02:00:47 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id n4C20lot024766; Mon, 11 May 2009 19:00:47 -0700
Received: from dwingwxp01 ([10.32.240.197]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id n4C20lLE022949; Tue, 12 May 2009 02:00:47 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Rémi Després' <remi.despres@free.fr>, 'Behave WG' <behave@ietf.org>
References: <4A02B8B9.1000905@free.fr>
Date: Mon, 11 May 2009 19:00:47 -0700
Message-ID: <021f01c9d2a5$778ee4e0$c5f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
In-Reply-To:
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Thread-Index: AcnO/yY4v9nyq6xuSWqA5yf/uDQFYgAT9XqQANVW7fA=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4345; t=1242093647; x=1242957647; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20DNSsec=20in=20IPv6-only-hosts=20=20&=20 discarding=20=20mapped=20AAAAs=20in=20DNS64 |Sender:=20; bh=U7dS5Eq0KZ1n+az3P80X41UYYxje3Pg7YfeaGp80v7Q=; b=TvCWnFZ9O64OgrDN3y48PPBQ3H1IouiT41XNsOSk8TejaevAfp4tcN85gB wnn5bz0t4YnvpLvQbQisG93e4Vv9BssGlxczp2rRcSeKiLwxY5UXKdoujgjS 6b0zc2nkYB;
Authentication-Results: sj-dkim-4; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Subject: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2009 01:59:17 -0000

Rémi,

I have one more question about using v4-mapped as the well-known prefix for
the 6/4 translator.  It appears, based on Iljitsh's testing last summer [1]
that when Windows Vista or MacOS Leopard are configured as IPv6-only (that is,
no IPv4 address), they won't send a v4-mapped IPv6 packet at all.  This seems
a problem for using v4-mapped as the well-known prefix of the IPv6/IPv4
translator.

[1] http://www.ietf.org/mail-archive/web/int-area/current/msg01476.html


I do wonder, however, if configuring those hosts for IPv4 just to know about
127.0.0.1 would be sufficient for their IP stacks to emit v4-mapped IPv6
addresses.  

Iljitsch, would you have time to test that idea, or would you know off-hand
the answer from previous testing you did?

-d

> -----Original Message-----
> From: Dan Wing [mailto:dwing@cisco.com] 
> Sent: Thursday, May 07, 2009 1:16 PM
> To: 'Rémi Després'; 'Behave WG'
> Subject: RE: DNSsec in IPv6-only-hosts & discarding mapped 
> AAAAs in DNS64
> 
>  
> 
> > -----Original Message-----
> > From: Rémi Després [mailto:remi.despres@free.fr] 
> > Sent: Thursday, May 07, 2009 3:32 AM
> > To: Dan Wing; Behave WG
> > Subject: Re: DNSsec in IPv6-only-hosts & discarding mapped 
> > AAAAs in DNS64
> > 
> > Dan Wing  -  le (m/j/a) 5/7/09 3:26 AM:
> > > So, this means
> > > 
> > > 1. all networks deploying a translator for IPv6-initiated 
> scenarios 
> > > (Scenario 1 and Scenario 5) would have to use the 
> well-known prefix
> > 
> > A.
> > The scenario being discussed is "connecting an IPv6 network 
> > to the IPv4
> > Internet", i.e. scenario (2) in Fred's draft on the Translation
> > Framework. (I must confess I am confused with scenarios 
> identified by
> > numbers: Fred has only 4 of them.)
> 
> Yes, sorry about that.
> 
> I was going with the 4 we have in the charter,
> http://www.ietf.org/html.charters/behave-charter.html, and the
> other two defined by Dave Thaler in the Doodle poll,
> http://www.doodle.com/participation.html?pollId=9qsdgt8r6kqk6zty
> 
> Our soon-to-be-updated charter will have all 6, because at
> the San Francisco meeting the clear consensus was to work on
> all 6.
> 
> > B.
> > A network deploying a translator for IPv6-initiated scenarios should
> > route to its NAT64s all packets whose destination start with:
> > - the prefix(es) chosen by the ISP for its NAT64s (an ISP-specific
> > prefix and/or, if a WKP different from that of mapped addresses is
> > standardized, this WKP )
> 
> Ok.
> 
> > - the mapped address prefix (or at least its 64 first bits, 
> > i.e. ::/64,
> > if /96 prefixes are not routed)
> >
> > > 2. all existing dual-stack hosts would see these published AAAA
> > > record, which would require those hosts to use a 
> translator if the 
> > > host OS or its application prefer IPv6 over IPv4.  What 
> happens if 
> > > there isn't a translator available to that user or its 
> > > performance is poor?
> > 
> > When mapped-address AAAAs start being published, dual-stack 
> hosts are
> > expected to send datagrams having mapped addresses as destinations:
> > - in IPv4 if an IPv4 address is available at the interface
> > - in IPv6 otherwise (and then require a NAT64 to be provided 
> > by the ISP)
> 
> Ok, thanks.  
> 
> So, I believe the timeframes would be aligned:  An ISP that offers
> only IPv6 addresses to subscribers will need to operate a translator
> to access IPv4 anyway.
> 
> > > Are there other impacts, too?
> > 
> > DNS64s:
> > -  as long as dual-stack hosts cannot be expected to act as 
> specified
> > above, MUST discard mapped address records;
> 
> We would like dual-stack hosts to prefer native connectivity (rather
> than translated connectivity).
> 
> > - after that, SHOULD forward them, at least if they are 
> DNSsec signed.
> > 
> > IPv6-only applications should not artificially block mapped 
> addresses
> > destinations.
> 
> So applications and host OSs should ignore 
> draft-itojun-v6ops-v4mapped-harmful, correct?
> 
> > Does this answer your questions?
> 
> Yes, thanks.  Much clearer now.
> 
> And I see how this could work now.
> 
> -d
>

v2.23.0 | Report a Bug | By Email