Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv6-implications-on-ipv4-nets for bad DNS advice?
Mark Townsley <mark@townsley.net> Tue, 09 July 2013 13:50 UTC
Return-Path: <mark@townsley.net>
X-Original-To: dns-dir@ietfa.amsl.com
Delivered-To: dns-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0777621F9DEE for <dns-dir@ietfa.amsl.com>; Tue, 9 Jul 2013 06:50:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6IwByK5Y+tb for <dns-dir@ietfa.amsl.com>; Tue, 9 Jul 2013 06:50:48 -0700 (PDT)
Received: from mail-ee0-f43.google.com (mail-ee0-f43.google.com [74.125.83.43]) by ietfa.amsl.com (Postfix) with ESMTP id E3CE121F99FB for <dns-dir@ietf.org>; Tue, 9 Jul 2013 06:50:47 -0700 (PDT)
Received: by mail-ee0-f43.google.com with SMTP id l10so3605624eei.16 for <dns-dir@ietf.org>; Tue, 09 Jul 2013 06:50:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=PjV7OnVxbDzwF8+JbMnQEJSN8U7nv6meOXxDil8jHJU=; b=GGGwbWdT7T0t1cHs/lqtfYPEM8SZ0mtmfRcROV7qTaEPHIlvqbcgP1wfzVYYkIqqCH 3hNTxurSwrVhdufMeroPwwQ+sxbf4ry5UGPoRPewIjX+D+1kTFGgaiML91eGz9RVAFK9 UIIC26ncxDGrLhqTQT0RsPSDElJxrTP9TPIC57GnCCKnYWYB+ksQk0lP97EYvl4Qtbqo tubBw2YRb+z/Pl3b+Qe3Nd+rLA0GMGcCBQMA0X6wj/sqxudw9i2BVUWy+/5FAO6jbCja 8PbNQe7DlGp3E36+Bc/di5TAGpdvmOoHIS7fKH0u/u9Ebw4/3PzU9yeviZDbB6bpTo7v xjlw==
X-Received: by 10.14.32.197 with SMTP id o45mr31119373eea.9.1373377840950; Tue, 09 Jul 2013 06:50:40 -0700 (PDT)
Received: from [10.148.10.180] (64-103-25-233.cisco.com. [64.103.25.233]) by mx.google.com with ESMTPSA id y1sm51257215eew.3.2013.07.09.06.50.38 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 09 Jul 2013 06:50:38 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="us-ascii"
From: Mark Townsley <mark@townsley.net>
In-Reply-To: <8D23D4052ABE7A4490E77B1A012B630775200A1E@mbx-01.win.nominum.com>
Date: Tue, 09 Jul 2013 15:50:36 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <7ACC4C2E-3D83-41D9-8794-AF2D9DE04701@townsley.net>
References: <8D23D4052ABE7A4490E77B1A012B630775200A1E@mbx-01.win.nominum.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
X-Mailer: Apple Mail (2.1283)
X-Gm-Message-State: ALoCoQnCdnv6Dojo0qbJqdcX2KWdKfOsaPsNsuRo9Tcqn4ld2J3dNwqxfsV8fQTOLwCztubRYDQJ
Cc: "dns-dir@ietf.org" <dns-dir@ietf.org>
Subject: Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv6-implications-on-ipv4-nets for bad DNS advice?
X-BeenThere: dns-dir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNS directorate discussion list <dns-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-dir>, <mailto:dns-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-dir>
List-Post: <mailto:dns-dir@ietf.org>
List-Help: <mailto:dns-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-dir>, <mailto:dns-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2013 13:50:53 -0000
On Jul 5, 2013, at 8:00 PM, Ted Lemon wrote: > This is a document about how to disable IPv6 on corporate networks, for those who swing that way. The bit of text I am concerned with is this: > > For this reason, networks attempting to prevent IPv6 traffic from > traversing their devices should consider configuring their local > recursive DNS servers to respond to queries for AAAA DNS records with > a DNS RCODE of 0 (NOERROR) [RFC1035] or to silently ignore such > queries, and should even consider filtering AAAA records at the > network ingress point to prevent the internal hosts from attempting > their own DNS resolution. This will ensure that hosts which are on > an IPv4-only network will only receive DNS A records, and they will > be unlikely to attempt to use (likely broken) IPv6 connectivity to > reach their desired destinations. > > This looks like bad advice to me. I'm not convinced that there is a safe way to do what is proposed here. What do you all think? Safe in what sense? Are there security dangers in it? I can state a lot of reasons why I don't *like* it: - Please just deploy IPv6 instead - Users that want to get around this, can (8.8.8.8) - Inconsistency in DNS is hard to diagnose, troubleshoot, etc.... That said, 6to4 and Teredo are as rampant as they are broken. Perhaps the focus should be on ridding these from codebases entirely rather than pussyfooting around about it as we have in the past. - Mark > > The complete document is here: > > http://tools.ietf.org/html/draft-ietf-opsec-ipv6-implications-on-ipv4-nets-05 > > Thanks! > > _______________________________________________ > dns-dir mailing list > dns-dir@ietf.org > https://www.ietf.org/mailman/listinfo/dns-dir
- [dns-dir] Help reviewing draft-ietf-opsec-ipv6-im… Ted Lemon
- Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv… Ted Lemon
- Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv… Mark Townsley
- Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv… Ted Lemon
- Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv… Mark Townsley
- Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv… Ted Lemon
- Re: [dns-dir] Help reviewing draft-ietf-opsec-ipv… Olafur Gudmundsson