IETF Logo Mail Archive

Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 06 May 2009 21:33 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5BD873A694E for <behave@core3.amsl.com>; Wed, 6 May 2009 14:33:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.788
X-Spam-Level:
X-Spam-Status: No, score=-1.788 tagged_above=-999 required=5 tests=[AWL=-0.429, BAYES_00=-2.599, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4iImpiOOXcoK for <behave@core3.amsl.com>; Wed, 6 May 2009 14:33:14 -0700 (PDT)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.226]) by core3.amsl.com (Postfix) with ESMTP id 7B49A3A68C2 for <behave@ietf.org>; Wed, 6 May 2009 14:33:14 -0700 (PDT)
Received: by rv-out-0506.google.com with SMTP id g37so254183rvb.49 for <behave@ietf.org>; Wed, 06 May 2009 14:34:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=dAxHpYt4fFLLDDDn9lnzmkwQ4LUtNFdbv84t5KkB8TA=; b=hpriiW8FXhhKr0zSJ7V5KEMByX43ydFx90Q7LpdZbbgwkPnQx0+HS007Z8QK32i6Os rePKwV/j/3GPfi2J8fQk2DUJ2gQrC0wJKa3porpRfXOqTJBoFYnVFTJLbkoieB5noPJg JFF6uCIJMDn/l/zsluCXITGYHAGHTuWUS3D3Q=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=YMurC1tfLEnhE1sSoZ9fctpQRhYExeyybs8zjnSga4nEHZyCkY3z/c6mlI+5BUhTsR fiwudmPtP/xtzZBkcKoRoLybr0j8wQzCQuGcfl8QbykKS1flu7OAfA1J7R8KrkQuTB4u rv9n3owx9+gFLD6cDWAgpsBXgD/ISZinMVjpw=
Received: by 10.114.211.2 with SMTP id j2mr1730048wag.139.1241645680276; Wed, 06 May 2009 14:34:40 -0700 (PDT)
Received: from ?130.216.38.124? (stf-brian.sfac.auckland.ac.nz [130.216.38.124]) by mx.google.com with ESMTPS id f20sm13880672waf.52.2009.05.06.14.34.37 (version=SSLv3 cipher=RC4-MD5); Wed, 06 May 2009 14:34:39 -0700 (PDT)
Message-ID: <4A020269.40200@gmail.com>
Date: Thu, 07 May 2009 09:34:33 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Xu Xiaohu <xuxh@huawei.com>
References: <001401c9ce30$9105ac70$5e0c6f0a@china.huawei.com>
In-Reply-To: <001401c9ce30$9105ac70$5e0c6f0a@china.huawei.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: 'Behave WG' <behave@ietf.org>, 'Keith Moore' <moore@network-heretics.com>, 'Fred Baker' <fred@cisco.com>, 'Dan Wing' <dwing@cisco.com>
Subject: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2009 21:33:15 -0000

On 2009-05-06 21:53, Xu Xiaohu wrote:
> Sorry, there was a mistake in the previous email, please see the corrected
> text.
> 
> Except of the DNSSEC and P2P scenarios, the coexistance of IPv6-only hosts
> and dual-stack hosts wihin an IPv6 network is also a scenario in which it's
> better to allow the hosts, especially those DUAL-STACK hosts to learn the
> prefix64 and synthesize the IPv6 addresses for destination IPv4 hosts on
> demands, rather than depending on the DNS64 to synthesize AAAA records from
> A records no matter the client is IPv6 only or dual-stack.Make sense?

Yes, but you're assuming that the IP stacks in the hosts can be modified
from basic (RFC2460) behaviour. We certainly need to deal with hosts
that only contain a standard resolver, so a DNS64 remains essential
for that case.

We discussed this in draft-van-beijnum-v6ops-mnat-pt last year,
and I don't think the situation has changed much.

   Brian

> 
> Xiaohu
>  
> 
>> -----邮件原件-----
>> 发件人: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] 
>> 代表 Xu Xiaohu
>> 发送时间: 2009年5月6日 17:43
>> 收件人: 'Rémi Després'; 'Fred Baker'; 'Marcello Bagnulo Braun'; 
>> 'Iljitsch van Beijnum'; 'Dan Wing'; 'Keith Moore'; 'Behave WG'
>> 主题: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding 
>> mapped AAAAs inDNS64
>>
>>
>>
>>> O3: If a dual stack host (with both IPv6 and IPv4 enabled 
>> so that it 
>>> really acts as dual stack) receives, for an IPv4-only 
>> server, both an 
>>> A and a mapped-address AAAA, it should communicate in IPv4 as an 
>>> effect of existing preferences (for
>>> IPv6 addresses over IPv4 addresses if both are available, 
>> and for the 
>>> IPv4 stack over the IPv6 stack if the destination address 
>> is an IPv4 
>>> mapped address - according to RFCs 3484 and RFC 2553 respectively).
>> Except of the DNSSEC and P2P scenarios, the coexistance of 
>> IPv6-only hosts and dual-stack hosts wihin an IPv6 network is 
>> also a scenario in which it's better to allow the hosts, 
>> especially those IPv6 only hosts to learn the
>> prefix64 and synthesize the IPv6 addresses for destination 
>> IPv4 hosts on demands, rather than depending on the DNS64 to 
>> synthesize AAAA records from A records no matter the client 
>> is IPv6 only or dual stack.Make sense?
>>
>> Xiaohu
>>
>>> Rules proposed to reach the objective are as follows:
>>>
>>> (1) IN THE SHORT TERM:
>>>
>>> R1: DNS64s MUST silently discard mapped-address AAAAs they receive.
>>>
>>> R2: At the first (non urgent) opportunity, dual stack OSes 
>> that don't 
>>> act as follows, MUST be updated to do it:
>>> (a) If IPv4 is enabled, datagrams presented at the socket interface 
>>> with an IPv4 mapped-address as destination MUST be sent in 
>> IPv4 (RFC 
>>> 2553 sec
>>> 3.7)
>>> (b) If IPv4 is not enabled, these datagrams MUST be sent in IPv6.
>>> (Relinquishment of an old but unjustified taboo which seems to have 
>>> prevented some OSes to act this way.)
>>>
>>>
>>> (2) WHEN DUAL STACKS CAN REASONABLY BE EXPECTED TO COMPLY 
>> WITH R2 (no
>>> urgency)
>>>
>>> R3: IPv4-only hosts MAY start advertising mapped-address AAAAs in 
>>> their DNS servers (in addition to As).
>>>
>>> R4: Independently, DNS64s MAY start to forward mapped-address AAAAs 
>>> (either all of them for simplicity or, if more selectively, 
>> ensuring 
>>> that all those that are DNSsec signed are indeed forwarded).
>>>
>>>
>>>
>>> In my understanding, these (simple) rules are sufficient to 
>>> eventually reconcile NAT64s with DNSsec in IPv6-only hosts. 
>>> And they are so far the only ones I know for this.
>>>
>>> If the analysis is right, advices on how to proceed would be 
>>> welcome. (A possibility would be to add appropriate sentences 
>>> in draft-baker-behave-v4v6-framework and 
>> draft-bagnulo-behave-dns64.)
>>> If the analysis is wrong, it's IMHO worth understanding where.
>>>
>>>
>>> Regards,
>>>
>>> RD
>>>
>>> PS: apologies to addressees for the retransmission. I had 
>>> forgotten the copy to th emailing list.
>>>
>>>
>>>
>>> _______________________________________________
>>> Behave mailing list
>>> Behave@ietf.org
>>> https://www.ietf.org/mailman/listinfo/behave
>> _______________________________________________
>> Behave mailing list
>> Behave@ietf.org
>> https://www.ietf.org/mailman/listinfo/behave
> 
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email