Re: Last Call: <draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03.txt> (Security Implications of IPv6 on IPv4 Networks) to Informational RFC
SM <sm@resistor.net> Wed, 03 April 2013 04:28 UTC
Return-Path: <sm@resistor.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 658FA21F8651 for <ietf@ietfa.amsl.com>; Tue, 2 Apr 2013 21:28:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDVlLDzE1061 for <ietf@ietfa.amsl.com>; Tue, 2 Apr 2013 21:28:54 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id AFA9721F8633 for <ietf@ietf.org>; Tue, 2 Apr 2013 21:28:54 -0700 (PDT)
Received: from SUBMAN.resistor.net (IDENT:sm@localhost [127.0.0.1]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r334Sl71009013; Tue, 2 Apr 2013 21:28:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1364963333; bh=K+LPKbW1oDjOqiHkwO+/h9JjL1PvzKvGFXIZPSwIYn0=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=L9Rqg1DEIJgPAFfbCP+TTuCvd89jd36uyXkXWVaq9qrtwSjxDl4FYn//74zLXWW6u j262R6DfjI55TM1PQJp71gRfxK2c9XSSsCOBwQyvRpSNaQczLv1GsoUN3BlIOqJ2VX JdUK181TjlD97u6oFnpNEZ6ek1SUKXTT1ibBlxvY=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1364963333; i=@resistor.net; bh=K+LPKbW1oDjOqiHkwO+/h9JjL1PvzKvGFXIZPSwIYn0=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=dh/HamC9RhVrQiaPzH3IBLKGC3txp97qGk7vC0zhlDqOO+XHzXYmXgucHNRuyiKI4 NI97t+0w01mh87xejdwe4GqVvHBl3t9fo1TlDwtx6MvoAh7JKwGHVY3Bq/ViBPKUOI BzscnPrEEIz6qTQksydTPug4AMSpJAKdKE6WTCCM=
Message-Id: <6.2.5.6.2.20130402203714.0cd15e78@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Tue, 02 Apr 2013 21:08:33 -0700
To: Fernando Gont <fgont@si6networks.com>
From: SM <sm@resistor.net>
Subject: Re: Last Call: <draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03.txt> (Security Implications of IPv6 on IPv4 Networks) to Informational RFC
In-Reply-To: <515B6A04.9080400@si6networks.com>
References: <20130329130326.13012.1402.idtracker@ietfa.amsl.com> <6.2.5.6.2.20130330230305.0bce91a8@resistor.net> <2671C6CDFBB59E47B64C10B3E0BD5923042CFA4019@PRVPEXVS15.corp.twcable.com> <6.2.5.6.2.20130401134936.0a5a1420@resistor.net> <515B6A04.9080400@si6networks.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2013 04:28:55 -0000
Hi Fernando,
At 16:30 02-04-2013, Fernando Gont wrote:
>Happy eyeballs is about HTTP. But part of the approach predates "Happy
>Eyeballs" -- please see RFC5461.
Ok.
>Removing the AAAA records when you're not going to allow such
>connectivity reduces the potential problem (at the end of the day, this
>is kind of the whitelisting approach that has been applied to the
>general case by content providers -- with the caveat that in this case
>you positively know that such connectivity is not present).
Here's an extract from RFC 4924:
'In particular, the DNSSEC protocol described in "Protocol
Modifications for the DNS Security Extensions" [RFC4035] has been
designed to verify that DNS information has not been modified between
the moment they have been published on an authoritative server and
the moment the validation takes place. Since that verification can
take place at the application level, any modification by a recursive
forwarder or other intermediary will cause validation failures,
disabling the improved security that DNSSEC is intended to provide.'
I am ok with resolving the problem of the day. If I am of the
opinion that it may cause problems in the long run I'll mention
it. I am not inclined to do anything more than that.
Regards,
-sm
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… Brian E Carpenter
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… SM
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-imp… Fernando Gont
- RE: Last Call: <draft-ietf-opsec-ipv6-implication… George, Wes
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… SM
- RE: Last Call: <draft-ietf-opsec-ipv6-implication… SM
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-imp… Brian E Carpenter
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… Fernando Gont
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… Ted Lemon
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… SM
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-imp… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-imp… Brian E Carpenter
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-imp… Fernando Gont