Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64
Xu Xiaohu <xuxh@huawei.com> Thu, 07 May 2009 02:31 UTC
Return-Path: <xuxh@huawei.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 398453A6C8E for <behave@core3.amsl.com>; Wed, 6 May 2009 19:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.695
X-Spam-Level: **
X-Spam-Status: No, score=2.695 tagged_above=-999 required=5 tests=[AWL=-0.839, BAYES_00=-2.599, CN_BODY_35=0.339, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_CHARSET_FARAWAY=2.45, RDNS_NONE=0.1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LVsGv0jQ4DWE for <behave@core3.amsl.com>; Wed, 6 May 2009 19:31:38 -0700 (PDT)
Received: from szxga02-in.huawei.com (unknown [119.145.14.65]) by core3.amsl.com (Postfix) with ESMTP id E43333A68DF for <behave@ietf.org>; Wed, 6 May 2009 19:31:09 -0700 (PDT)
Received: from huawei.com (szxga02-in [172.24.2.6]) by szxga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KJ900FLZ5Q2WJ@szxga02-in.huawei.com> for behave@ietf.org; Thu, 07 May 2009 10:32:27 +0800 (CST)
Received: from x41208a ([10.111.12.94]) by szxga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KJ900CND5Q2QY@szxga02-in.huawei.com> for behave@ietf.org; Thu, 07 May 2009 10:32:26 +0800 (CST)
Date: Thu, 07 May 2009 10:32:26 +0800
From: Xu Xiaohu <xuxh@huawei.com>
In-reply-to: <4A020269.40200@gmail.com>
To: 'Brian E Carpenter' <brian.e.carpenter@gmail.com>
Message-id: <000a01c9cebc$0f759f30$5e0c6f0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="gb2312"
Content-transfer-encoding: quoted-printable
Thread-index: AcnOknuKreEVNNeYRo+GmQ85ZjsTywAKO5og
Cc: 'Behave WG' <behave@ietf.org>, 'Keith Moore' <moore@network-heretics.com>, 'Dan Wing' <dwing@cisco.com>, 'Fred Baker' <fred@cisco.com>
Subject: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2009 02:31:39 -0000
> -----邮件原件----- > 发件人: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] > 代表 Brian E Carpenter > 发送时间: 2009年5月7日 5:35 > 收件人: Xu Xiaohu > 抄送: 'Behave WG'; 'Keith Moore'; 'Fred Baker'; 'Dan Wing' > 主题: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding > mapped AAAAs in DNS64 > > On 2009-05-06 21:53, Xu Xiaohu wrote: > > Sorry, there was a mistake in the previous email, please see the > > corrected text. > > > > Except of the DNSSEC and P2P scenarios, the coexistance of > IPv6-only > > hosts and dual-stack hosts wihin an IPv6 network is also a > scenario in > > which it's better to allow the hosts, especially those DUAL-STACK > > hosts to learn the > > prefix64 and synthesize the IPv6 addresses for destination > IPv4 hosts > > on demands, rather than depending on the DNS64 to synthesize AAAA > > records from A records no matter the client is IPv6 only or > dual-stack.Make sense? > > Yes, but you're assuming that the IP stacks in the hosts can > be modified from basic (RFC2460) behaviour. We certainly need > to deal with hosts that only contain a standard resolver, so > a DNS64 remains essential for that case. Yes, both of them have their own application scenarios. > We discussed this in draft-van-beijnum-v6ops-mnat-pt last > year, and I don't think the situation has changed much. Thanks for this information. Xiaohu > > > > > Xiaohu > > > > > >> -----邮件原件----- > >> 发件人: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] > >> 代表 Xu Xiaohu > >> 发送时间: 2009年5月6日 17:43 > >> 收件人: 'Rémi Després'; 'Fred Baker'; 'Marcello Bagnulo Braun'; > >> 'Iljitsch van Beijnum'; 'Dan Wing'; 'Keith Moore'; 'Behave WG' > >> 主题: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding > mapped AAAAs > >> inDNS64 > >> > >> > >> > >>> O3: If a dual stack host (with both IPv6 and IPv4 enabled > >> so that it > >>> really acts as dual stack) receives, for an IPv4-only > >> server, both an > >>> A and a mapped-address AAAA, it should communicate in IPv4 as an > >>> effect of existing preferences (for > >>> IPv6 addresses over IPv4 addresses if both are available, > >> and for the > >>> IPv4 stack over the IPv6 stack if the destination address > >> is an IPv4 > >>> mapped address - according to RFCs 3484 and RFC 2553 > respectively). > >> Except of the DNSSEC and P2P scenarios, the coexistance of > IPv6-only > >> hosts and dual-stack hosts wihin an IPv6 network is also a > scenario > >> in which it's better to allow the hosts, especially those > IPv6 only > >> hosts to learn the > >> prefix64 and synthesize the IPv6 addresses for destination > >> IPv4 hosts on demands, rather than depending on the DNS64 to > >> synthesize AAAA records from A records no matter the > client is IPv6 > >> only or dual stack.Make sense? > >> > >> Xiaohu > >> > >>> Rules proposed to reach the objective are as follows: > >>> > >>> (1) IN THE SHORT TERM: > >>> > >>> R1: DNS64s MUST silently discard mapped-address AAAAs > they receive. > >>> > >>> R2: At the first (non urgent) opportunity, dual stack OSes > >> that don't > >>> act as follows, MUST be updated to do it: > >>> (a) If IPv4 is enabled, datagrams presented at the socket > interface > >>> with an IPv4 mapped-address as destination MUST be sent in > >> IPv4 (RFC > >>> 2553 sec > >>> 3.7) > >>> (b) If IPv4 is not enabled, these datagrams MUST be sent in IPv6. > >>> (Relinquishment of an old but unjustified taboo which > seems to have > >>> prevented some OSes to act this way.) > >>> > >>> > >>> (2) WHEN DUAL STACKS CAN REASONABLY BE EXPECTED TO COMPLY > >> WITH R2 (no > >>> urgency) > >>> > >>> R3: IPv4-only hosts MAY start advertising mapped-address AAAAs in > >>> their DNS servers (in addition to As). > >>> > >>> R4: Independently, DNS64s MAY start to forward > mapped-address AAAAs > >>> (either all of them for simplicity or, if more selectively, > >> ensuring > >>> that all those that are DNSsec signed are indeed forwarded). > >>> > >>> > >>> > >>> In my understanding, these (simple) rules are sufficient to > >>> eventually reconcile NAT64s with DNSsec in IPv6-only hosts. > >>> And they are so far the only ones I know for this. > >>> > >>> If the analysis is right, advices on how to proceed would be > >>> welcome. (A possibility would be to add appropriate sentences in > >>> draft-baker-behave-v4v6-framework and > >> draft-bagnulo-behave-dns64.) > >>> If the analysis is wrong, it's IMHO worth understanding where. > >>> > >>> > >>> Regards, > >>> > >>> RD > >>> > >>> PS: apologies to addressees for the retransmission. I had > forgotten > >>> the copy to th emailing list. > >>> > >>> > >>> > >>> _______________________________________________ > >>> Behave mailing list > >>> Behave@ietf.org > >>> https://www.ietf.org/mailman/listinfo/behave > >> _______________________________________________ > >> Behave mailing list > >> Behave@ietf.org > >> https://www.ietf.org/mailman/listinfo/behave > > > > _______________________________________________ > > Behave mailing list > > Behave@ietf.org > > https://www.ietf.org/mailman/listinfo/behave > > _______________________________________________ > Behave mailing list > Behave@ietf.org > https://www.ietf.org/mailman/listinfo/behave >
- [BEHAVE] DNSsec in IPv6-only-hosts & discarding m… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xu Xiaohu
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xu Xiaohu
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Mark Andrews
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Brian E Carpenter
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Dan Wing
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xu Xiaohu
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Dan Wing
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… William Waites
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Dan Wing
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… William Waites
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Rémi Després
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… William Waites
- [BEHAVE] Question on DNS64 Gabor Bajko
- Re: [BEHAVE] DNSsec in IPv6-only-hosts & discardi… Xuewei Wang
- Re: [BEHAVE] Question on DNS64 Dave Thaler