IETF Logo Mail Archive

Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64

Xu Xiaohu <xuxh@huawei.com> Thu, 07 May 2009 02:31 UTC

Return-Path: <xuxh@huawei.com>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 398453A6C8E for <behave@core3.amsl.com>; Wed, 6 May 2009 19:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.695
X-Spam-Level: **
X-Spam-Status: No, score=2.695 tagged_above=-999 required=5 tests=[AWL=-0.839, BAYES_00=-2.599, CN_BODY_35=0.339, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_CHARSET_FARAWAY=2.45, RDNS_NONE=0.1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LVsGv0jQ4DWE for <behave@core3.amsl.com>; Wed, 6 May 2009 19:31:38 -0700 (PDT)
Received: from szxga02-in.huawei.com (unknown [119.145.14.65]) by core3.amsl.com (Postfix) with ESMTP id E43333A68DF for <behave@ietf.org>; Wed, 6 May 2009 19:31:09 -0700 (PDT)
Received: from huawei.com (szxga02-in [172.24.2.6]) by szxga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KJ900FLZ5Q2WJ@szxga02-in.huawei.com> for behave@ietf.org; Thu, 07 May 2009 10:32:27 +0800 (CST)
Received: from x41208a ([10.111.12.94]) by szxga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KJ900CND5Q2QY@szxga02-in.huawei.com> for behave@ietf.org; Thu, 07 May 2009 10:32:26 +0800 (CST)
Date: Thu, 07 May 2009 10:32:26 +0800
From: Xu Xiaohu <xuxh@huawei.com>
In-reply-to: <4A020269.40200@gmail.com>
To: 'Brian E Carpenter' <brian.e.carpenter@gmail.com>
Message-id: <000a01c9cebc$0f759f30$5e0c6f0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="gb2312"
Content-transfer-encoding: quoted-printable
Thread-index: AcnOknuKreEVNNeYRo+GmQ85ZjsTywAKO5og
Cc: 'Behave WG' <behave@ietf.org>, 'Keith Moore' <moore@network-heretics.com>, 'Dan Wing' <dwing@cisco.com>, 'Fred Baker' <fred@cisco.com>
Subject: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding mapped AAAAs in DNS64
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2009 02:31:39 -0000

> -----邮件原件-----
> 发件人: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org] 
> 代表 Brian E Carpenter
> 发送时间: 2009年5月7日 5:35
> 收件人: Xu Xiaohu
> 抄送: 'Behave WG'; 'Keith Moore'; 'Fred Baker'; 'Dan Wing'
> 主题: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding 
> mapped AAAAs in DNS64
> 
> On 2009-05-06 21:53, Xu Xiaohu wrote:
> > Sorry, there was a mistake in the previous email, please see the 
> > corrected text.
> > 
> > Except of the DNSSEC and P2P scenarios, the coexistance of 
> IPv6-only 
> > hosts and dual-stack hosts wihin an IPv6 network is also a 
> scenario in 
> > which it's better to allow the hosts, especially those DUAL-STACK 
> > hosts to learn the
> > prefix64 and synthesize the IPv6 addresses for destination 
> IPv4 hosts 
> > on demands, rather than depending on the DNS64 to synthesize AAAA 
> > records from A records no matter the client is IPv6 only or 
> dual-stack.Make sense?
> 
> Yes, but you're assuming that the IP stacks in the hosts can 
> be modified from basic (RFC2460) behaviour. We certainly need 
> to deal with hosts that only contain a standard resolver, so 
> a DNS64 remains essential for that case.

Yes, both of them have their own application scenarios.
 
> We discussed this in draft-van-beijnum-v6ops-mnat-pt last 
> year, and I don't think the situation has changed much.

Thanks for this information.

Xiaohu

> 
> > 
> > Xiaohu
> >  
> > 
> >> -----邮件原件-----
> >> 发件人: behave-bounces@ietf.org [mailto:behave-bounces@ietf.org]
> >> 代表 Xu Xiaohu
> >> 发送时间: 2009年5月6日 17:43
> >> 收件人: 'Rémi Després'; 'Fred Baker'; 'Marcello Bagnulo Braun'; 
> >> 'Iljitsch van Beijnum'; 'Dan Wing'; 'Keith Moore'; 'Behave WG'
> >> 主题: Re: [BEHAVE] DNSsec in IPv6-only-hosts & discarding 
> mapped AAAAs 
> >> inDNS64
> >>
> >>
> >>
> >>> O3: If a dual stack host (with both IPv6 and IPv4 enabled
> >> so that it
> >>> really acts as dual stack) receives, for an IPv4-only
> >> server, both an
> >>> A and a mapped-address AAAA, it should communicate in IPv4 as an 
> >>> effect of existing preferences (for
> >>> IPv6 addresses over IPv4 addresses if both are available,
> >> and for the
> >>> IPv4 stack over the IPv6 stack if the destination address
> >> is an IPv4
> >>> mapped address - according to RFCs 3484 and RFC 2553 
> respectively).
> >> Except of the DNSSEC and P2P scenarios, the coexistance of 
> IPv6-only 
> >> hosts and dual-stack hosts wihin an IPv6 network is also a 
> scenario 
> >> in which it's better to allow the hosts, especially those 
> IPv6 only 
> >> hosts to learn the
> >> prefix64 and synthesize the IPv6 addresses for destination
> >> IPv4 hosts on demands, rather than depending on the DNS64 to 
> >> synthesize AAAA records from A records no matter the 
> client is IPv6 
> >> only or dual stack.Make sense?
> >>
> >> Xiaohu
> >>
> >>> Rules proposed to reach the objective are as follows:
> >>>
> >>> (1) IN THE SHORT TERM:
> >>>
> >>> R1: DNS64s MUST silently discard mapped-address AAAAs 
> they receive.
> >>>
> >>> R2: At the first (non urgent) opportunity, dual stack OSes
> >> that don't
> >>> act as follows, MUST be updated to do it:
> >>> (a) If IPv4 is enabled, datagrams presented at the socket 
> interface 
> >>> with an IPv4 mapped-address as destination MUST be sent in
> >> IPv4 (RFC
> >>> 2553 sec
> >>> 3.7)
> >>> (b) If IPv4 is not enabled, these datagrams MUST be sent in IPv6.
> >>> (Relinquishment of an old but unjustified taboo which 
> seems to have 
> >>> prevented some OSes to act this way.)
> >>>
> >>>
> >>> (2) WHEN DUAL STACKS CAN REASONABLY BE EXPECTED TO COMPLY
> >> WITH R2 (no
> >>> urgency)
> >>>
> >>> R3: IPv4-only hosts MAY start advertising mapped-address AAAAs in 
> >>> their DNS servers (in addition to As).
> >>>
> >>> R4: Independently, DNS64s MAY start to forward 
> mapped-address AAAAs 
> >>> (either all of them for simplicity or, if more selectively,
> >> ensuring
> >>> that all those that are DNSsec signed are indeed forwarded).
> >>>
> >>>
> >>>
> >>> In my understanding, these (simple) rules are sufficient to 
> >>> eventually reconcile NAT64s with DNSsec in IPv6-only hosts.
> >>> And they are so far the only ones I know for this.
> >>>
> >>> If the analysis is right, advices on how to proceed would be 
> >>> welcome. (A possibility would be to add appropriate sentences in 
> >>> draft-baker-behave-v4v6-framework and
> >> draft-bagnulo-behave-dns64.)
> >>> If the analysis is wrong, it's IMHO worth understanding where.
> >>>
> >>>
> >>> Regards,
> >>>
> >>> RD
> >>>
> >>> PS: apologies to addressees for the retransmission. I had 
> forgotten 
> >>> the copy to th emailing list.
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Behave mailing list
> >>> Behave@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/behave
> >> _______________________________________________
> >> Behave mailing list
> >> Behave@ietf.org
> >> https://www.ietf.org/mailman/listinfo/behave
> > 
> > _______________________________________________
> > Behave mailing list
> > Behave@ietf.org
> > https://www.ietf.org/mailman/listinfo/behave
> 
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave
>

v2.23.0 | Report a Bug | By Email