Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv6-implications-on-ipv4-nets for bad DNS advice?

Mark Townsley <mark@townsley.net> Tue, 09 July 2013 14:49 UTC

Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="us-ascii"
From: Mark Townsley <mark@townsley.net>
In-Reply-To: <8D23D4052ABE7A4490E77B1A012B630775206126@mbx-01.win.nominum.com>
Date: Tue, 09 Jul 2013 16:49:37 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <0DAE62F3-FA49-4F17-8E1B-6223ABE27673@townsley.net>
References: <8D23D4052ABE7A4490E77B1A012B630775200A1E@mbx-01.win.nominum.com> <7ACC4C2E-3D83-41D9-8794-AF2D9DE04701@townsley.net> <8D23D4052ABE7A4490E77B1A012B630775206126@mbx-01.win.nominum.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
Cc: "dns-dir@ietf.org" <dns-dir@ietf.org>
Subject: Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv6-implications-on-ipv4-nets for bad DNS advice?
Precedence: list

On Jul 9, 2013, at 4:17 PM, Ted Lemon wrote:

> On Jul 9, 2013, at 9:50 AM, Mark Townsley <mark@townsley.net> wrote:
>> Safe in what sense? Are there security dangers in it?
> 
> It certainly breaks DNSSEC.  

Well, if the request isn't being responded to at all, I suppose that goes without saying.

>  Silently ignoring queries on a name can lead to long timeouts.

Even if only for AAAA requests with a host that (presumably) doesn't even have an IPv6 address configured (because by definition in the paper it is supposed to be connected to an IPv4 only network)? 

>   They were going to return NXDOMAIN, which would have been really exciting, but they at least agreed to take that out.
> 
>> I can state a lot of reasons why I don't *like* it:
>> 
>> - Please just deploy IPv6 instead
>> - Users that want to get around this, can (8.8.8.8)
>> - Inconsistency in DNS is hard to diagnose, troubleshoot, etc....
> 
> Actually I think they want to also intercept DNS queries at the firewall, so querying against google's name service wouldn't work.

lovely.

> 
>> That said, 6to4 and Teredo are as rampant as they are broken. Perhaps the focus should be on ridding these from codebases entirely rather than pussyfooting around about it as we have in the past. 
> 
> Breaking 6to4 and Teredo at the enterprise firewall is pretty easy.  

Yes, but that also leads to timeouts. 

>  This is a document about how to run enterprise networks where you aren't doing IPv6.   Personally I think it's bad because it encourages enterprises to postpone upgrading to IPv6, when in fact enterprises are one of the easiest places in the world to do IPv6, and there are substantial benefits to switching.   But my main concern about this document is that it will be read as the IETF generally supporting the techniques it describes, even though the introduction says it's specifically for corporate environments.

I completely agree that we shouldn't be giving advice on how to run IPv4-only and IPv6-hostile networks - on philosophical grounds. 

But, you asked if this was "safe", and its in an "opsec" WG. I'm trying to understand what's unsafe here, what the target is for the doc, etc.

> 
> So if there is something about the paragraph I quoted that would cause genuine breakage, but that I have missed, that's what I'm hoping someone will tell me.   The paragraph gives me an uneasy feeling, but having gotten rid of the NXDOMAIN bug, there is nothing specific that I can point to, with my limited operational experience, as being clearly broken.

Yeah, I'm not seeing what this breaks, aside of IPv6. But, that seems to be the intent....

- Mark

>

[dns-dir] Help reviewing draft-ietf-opsec-ipv6-im… Ted Lemon
Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv… Ted Lemon
Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv… Mark Townsley
Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv… Ted Lemon
Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv… Mark Townsley
Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv… Ted Lemon
Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv… Olafur Gudmundsson