RE: IPv6 only host NAT64 requirements?

<mohamed.boucadair@orange.com> Mon, 20 November 2017 07:41 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87E24129463 for <ipv6@ietfa.amsl.com>; Sun, 19 Nov 2017 23:41:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.618
X-Spam-Level:
X-Spam-Status: No, score=-1.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id diHLfWUCUbDH for <ipv6@ietfa.amsl.com>; Sun, 19 Nov 2017 23:41:51 -0800 (PST)
Received: from orange.com (mta241.mail.business.static.orange.com [80.12.66.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E76B7124207 for <ipv6@ietf.org>; Sun, 19 Nov 2017 23:41:50 -0800 (PST)
Received: from opfedar03.francetelecom.fr (unknown [xx.xx.xx.5]) by opfedar24.francetelecom.fr (ESMTP service) with ESMTP id 5EF45C093E; Mon, 20 Nov 2017 08:41:49 +0100 (CET)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.63]) by opfedar03.francetelecom.fr (ESMTP service) with ESMTP id 2F7F6180065; Mon, 20 Nov 2017 08:41:49 +0100 (CET)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM6E.corporate.adroot.infra.ftgroup ([fe80::f5a7:eab1:c095:d9ec%18]) with mapi id 14.03.0361.001; Mon, 20 Nov 2017 08:41:48 +0100
From: <mohamed.boucadair@orange.com>
To: Ole Troan <otroan@employees.org>
CC: Jen Linkova <furry13@gmail.com>, 6man WG <ipv6@ietf.org>, Mark Andrews <marka@isc.org>
Subject: RE: IPv6 only host NAT64 requirements?
Thread-Topic: IPv6 only host NAT64 requirements?
Thread-Index: AQHTX4U1swcBlM/8z0eNn33c3P4KiKMc5AXw
Date: Mon, 20 Nov 2017 07:41:48 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93300A07D481@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <m1eEGbJ-0000EhC@stereo.hq.phicoh.net> <D43E103C-27B8-48CF-B801-ACCF9B42533E@employees.org> <m1eEHPS-0000FyC@stereo.hq.phicoh.net> <59B0BEC0-D791-4D75-906C-84C5E423291B@employees.org> <m1eEIGX-0000FjC@stereo.hq.phicoh.net> <73231F8D-498E-4C77-8DA8-044365368FC9@isc.org> <CAKD1Yr1aFwF_qZVp5HbRbKzcOGqn==MRe_ewaA8Qc8t3+CVu_Q@mail.gmail.com> <44A862B7-7182-4B3A-B46E-73065FC4D852@isc.org> <D42D8D7A-6D19-4862-9BB3-4913058A83B6@employees.org> <CAFU7BARCLq9eznccEtkdnKPAtKNT7Mf1bW0uZByPvxtiSrv6EQ@mail.gmail.com> <787AE7BB302AE849A7480A190F8B93300A07AD68@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <CAFU7BARoXgodiTJfTGc1dUfQ8-ER_r8UOE1c3h-+G0KTeCgBew@mail.gmail.com> <787AE7BB302AE849A7480A190F8B93300A07C625@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <7EE41034-132E-45F0-8F76-6BA6AFE3E916@employees.org>
In-Reply-To: <7EE41034-132E-45F0-8F76-6BA6AFE3E916@employees.org>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.4]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/AtGYjEDDqxoEhbbRjuiALhs1aWk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Nov 2017 07:41:53 -0000

Hi Ole,

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Ole Troan [mailto:otroan@employees.org]
> Envoyé : vendredi 17 novembre 2017 10:20
> À : BOUCADAIR Mohamed IMT/OLN
> Cc : Jen Linkova; 6man WG; Mark Andrews
> Objet : Re: IPv6 only host NAT64 requirements?
> 
> Med,
> 
> Thanks for all the references. Seems like most bases have been covered
> here. ;-)
> 
> For the IETF NAT64 IMHO

[Med] As you are mentioning "IETF" explicitly, NAT64 may not be the appropriate "IPv4 service continuity" solution here. 

 I need:
>  - No dependency on DNS64. Want to use recursive resolver I trust plus
> local validating resolver.
>  - Not depend on the success of PCP for NAT64 prefix discovery
>  - If the host couldn't learn the NAT64 prefix any other way, I suppose it
> could throw an ICMP echo towards
>    64:ff9b::127.0.0.1 (or perhaps just 64:ff9b::)
> 

[Med] Fair. That is another "add my favorite solution" to the list. 

> But I also see there being different deployment options here.
> Btw, for multiple NSPs, couldn't you partly solve that by injecting more
> specifics into routing?

[Med] It is not only about forwarding/routing, but also how a host can pick the appropriate prefix64 for address synthesis. Things may be obvious if you can consider the example of RFC7050:


                      NAT64 "A" ----- IPv4-only servers in a data center
                     /
   IPv6-only node---<
                     \
                      NAT64 "B" ----- IPv4 Internet 


> 
> Cheers,
> Ole
> 
> 
> > On 17 Nov 2017, at 16:47, <mohamed.boucadair@orange.com>;
> <mohamed.boucadair@orange.com>; wrote:
> >
> > Hi Jen,
> >
> > Please see inline.
> >
> > Cheers,
> > Med
> >
> >> -----Message d'origine-----
> >> De : Jen Linkova [mailto:furry13@gmail.com]
> >> Envoyé : vendredi 17 novembre 2017 09:31
> >> À : BOUCADAIR Mohamed IMT/OLN
> >> Cc : Ole Troan; 6man WG; Mark Andrews
> >> Objet : Re: IPv6 only host NAT64 requirements?
> >>
> >> On Thu, Nov 16, 2017 at 12:35 AM,  <mohamed.boucadair@orange.com>;
> wrote:
> >>>> IMHO the optimal solution is:
> >>>> - the network SHOULD provide a host with NAT64 prefix information in
> >>>> RA (I do not believe that information needs to be duplicated in DHCP
> >>>> at all);
> >>>
> >>> [Med] Please check: https://tools.ietf.org/html/rfc7051#section-5.7.3
> >>
> >> Thanks for pointing this out. To be honest I disagree with what that
> >> section says.
> >
> > [Med] I also disagree with many of the points in RFC7051, but that is
> the document which reflects the IETF consensus on learning prefix64s.
> >
> > We had many opportunities in the past to ignore the recommendations in
> RFC7051, but we didn't. For example, RFC8115 says the following:
> >
> > ==
> >   Note that it was tempting to define three distinct DHCPv6 options,
> >   but that approach was not adopted because it has a side effect: the
> >   specification of a DHCPv6 option that could be used to discover
> >   unicast Prefix64s in environments where multicast is not enabled.
> >   Such a side effect conflicts with the recommendation to support the
> >   Well-Known DNS Name heuristic discovery-based method for unicast-only
> >   environments (Section 6 of [RFC7051]).
> > ==
> >
> >> I'm trying to refrain from participating  'SLAAC vs DHCPv6' so I will
> >> not mention all those issues with multihoming for example but....
> >> If you are saying that the prefix should not be distributed via RAs
> >> because it needs to be configured on routers, then what about DNS
> >> servers and SLAAC prefixes themselves?
> >> There are SLAAC-only networks out there while RFC7934 does not
> >> recommend DHCPv6 as the only way to configure clients.
> >> So between those two RA does look like a better way.
> >
> > [Med] It is evident that RA-based approach may be a good candidate for
> some deployments. Others may argue that another solution is appropriate
> for their deployment, and so on.
> >
> >>
> >>> Things may get complex if multiple NSPs are used for load-balancing or
> >> if destination based NAT64s are deployed. A list of issues is
> elaborated
> >> in https://tools.ietf.org/html/rfc7225#section-3.1
> >>
> >> It's more like v6ops question but I'm really curious if multiple
> >> prefixes scenario is real.
> >> RA option might contain multiple prefixes anyway.
> >
> > [Med] Indeed. It is already ACKed in 7051:
> >
> >   Note: If the RA would include multiple NSPs, Issue #5 could be solved
> >   as well, but only if nodes as a group would select different NSPs,
> >   hence supporting load balancing.  As this is not clear, this item is
> >   not yet listed under PROs or CONs.
> >
> >>
> >>>>>> On 15 Nov 2017, at 08:06, Mark Andrews <marka@isc.org>; wrote:
> >>>>>>
> >>>>>>
> >>>>>>> On 15 Nov 2017, at 3:40 am, Lorenzo Colitti <lorenzo@google.com>;
> >>>> wrote:
> >>>>>>>
> >>>>>>> On Tue, Nov 14, 2017 at 6:46 AM, Mark Andrews <marka@isc.org>;
> >> wrote:
> >>>>>>> Is there any reason to run DNS64 at all these days?  ipv4only.arpa
> >> can
> >>>> be a preconfigured
> >>>>>>> zone which allows CLAT to get its mapping.  All the phones have
> >> CLAT
> >>>> support.
> >>>>>>>
> >>>>>>> That's an interesting idea. It would work in theory, but such a
> >>>> network would completely break devices that don't support 464xlat.
> That
> >>>> gives up one of the major advantages of NAT64/DNS64, which is that
> it's
> >> a
> >>>> 90% solution even just by itself - yes, IPv4-only applications and
> >> address
> >>>> literals exist, but most simple client/server applications Just Work
> >>>> behind it.
> >>>>>>
> >>>>>> And that 90% “solution” has lots of down sides.  It basically
> >> requires
> >>>> EVERY DNS VALIDATOR ON
> >>>>>> THE PLANET TO SUPPORT DNS64 JUST IN CASE IT IS USED BEHIND A DNS64
> >>>> SERVER.
> >>>>>>
> >>>>>> DNS64/NAT64 was presented as NOT REQUIRING node changes when first
> >>>> mooted.  It keeps on
> >>>>>> requiring more and more highly invasive node changes to support.
> It
> >>>> was from the very beginning
> >>>>>> bad engineering.   To get IPv4 as a service some node changes are
> >>>> required.  Lets make sure they
> >>>>>> are MINIMAL ones.
> >>>>>>
> >>>>>> Just for the record DNSSEC validators need to send BOTH CD=0 and
> >> CD=1
> >>>> queries to get answers
> >>>>>> though a upstream VALIDATING server which includes a VALIDATING
> >> DNS64
> >>>> server as CD=0 and
> >>>>>> CD=1 address different DNSSEC threats.  I tried very hard to point
> >> that
> >>>> out when RFC 6147 was
> >>>>>> being written but the working group decide that CD indicated
> whether
> >>>> the client was validating or
> >>>>>> not.  There is NO SUCH INDICATION in a DNS message.
> >>>>>>
> >>>>>> If a query arrives at a vDNS64 device with the "Checking Disabled"
> >>>>>>  (CD) bit set, it is an indication that the querying agent wants
> >> all
> >>>>>>  the validation data so it can do checking itself.  By local
> >> policy,
> >>>>>>  vDNS64 could still validate, but it must return all data to the
> >>>>>>  querying agent anyway.
> >>>>>>
> >>>>>> CD=0 queries causes the upstream validating servers to reject
> >> incoming
> >>>> spoofed answers
> >>>>>> or stale answers (this is a common operational problem).
> >>>>>>
> >>>>>> CD=1 queries allow the validation to succeed when the upstream
> >>>> validator has a bad trust
> >>>>>> anchor or a bad clock which is rejecting legitimate answers.
> >>>>>>
> >>>>>> A validating client can’t just send CD=1 queries as the upstream
> >>>> validator doesn’t kick in.
> >>>>>> The upstream validator can lock onto a stale answer source.  It
> >> needs
> >>>> to send CD=0 queries
> >>>>>> on validation failure to force the upstream validator to try
> >> multiple
> >>>> sources.
> >>>>>>
> >>>>>> A validating client can’t just send CD=0.  It needs to send CD=1 on
> >>>> SERVFAIL in case the
> >>>>>> upstream validator has a bad trust anchor (likely with the upcoming
> >>>> root KSK roll) or has
> >>>>>> a bad clock (these usually get fixed fast).
> >>>>>>
> >>>>>> Now to get a answer from a signed zone with servers with stale
> >> answers
> >>>> a validatiing DNS64 client
> >>>>>> needs to send:
> >>>>>>
> >>>>>> a) send CD=1 and validation failure send CD=0 then on AAAA
> >> validation
> >>>> failure send CD=1 and
> >>>>>>   hope the TTL was not 0 and that is not cachable and there is no
> >>>> assurance that you won’t get
> >>>>>>   a answer from a stale source.
> >>>>>>
> >>>>>>      or
> >>>>>>
> >>>>>> b) send CD=0 and on validation failure of the AAAA send CD=1 and
> >> hope
> >>>> the TTL was not 0 as
> >>>>>>   that is not cachable and there is no assurance that you won’t get
> >> a
> >>>> answer from a stale source.
> >>>>>>
> >>>>>> TTL=0 answers exist.
> >>>>>>
> >>>>>> Note none of this is documented in a RFC.  You have to understand
> >> how
> >>>> both DNSSEC and DNS64 work to
> >>>>>> realise this.
> >>>>>>
> >>>>>> IPV4ONLY.ARPA is currently has a secure delegation which breaks
> >> prefix
> >>>> discover for DNS VALIDATORS.
> >>>>>> Note “ad” is set in the flags.  Yes, I’ve submitted a errata.  Yes,
> >>>> I’ve opened a ticket to get it fixed but
> >>>>>> based on past experience that could take months if it happens at
> >> all.
> >>>> You will note that the recursive
> >>>>>> server is running on the loopback interface so all DNS answers are
> >>>> being validated here.
> >>>>>>
> >>>>>> [rock:bind9/bin/named] marka% dig IPV4ONLY.ARPA
> >>>>>> ;; BADCOOKIE, retrying.
> >>>>>>
> >>>>>> ; <<>> DiG 9.12.0b2+hotspot+add-prefetch+marka <<>> IPV4ONLY.ARPA
> >>>>>> ;; global options: +cmd
> >>>>>> ;; Got answer:
> >>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8504
> >>>>>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0,
> >> ADDITIONAL: 1
> >>>>>>
> >>>>>> ;; OPT PSEUDOSECTION:
> >>>>>> ; EDNS: version: 0, flags:; udp: 4096
> >>>>>> ; COOKIE: 7dbf8beb79be47a09eb5313d5a0b776f4fae3aa6931d9583 (good)
> >>>>>> ;; QUESTION SECTION:
> >>>>>> ;IPV4ONLY.ARPA.                       IN      A
> >>>>>>
> >>>>>> ;; ANSWER SECTION:
> >>>>>> ipv4only.arpa.                26574   IN      A       192.0.0.171
> >>>>>> ipv4only.arpa.                26574   IN      A       192.0.0.170
> >>>>>>
> >>>>>> ;; Query time: 0 msec
> >>>>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> >>>>>> ;; WHEN: Wed Nov 15 10:08:31 AEDT 2017
> >>>>>> ;; MSG SIZE  rcvd: 115
> >>>>>>
> >>>>>> [rock:bind9/bin/named] marka%
> >>>>>>
> >>>>>>> It's not true that all phones have clat support. Notably, Apple
> not
> >>>> only does not support it but appears ideologically opposed to it on
> the
> >>>> grounds that it does not have a good exit strategy (because it makes
> it
> >>>> possible to run IPv4-only apps forever).
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Mark Andrews, ISC
> >>>>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> >>>>>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> >>>>>>
> >>>>>> -------------------------------------------------------------------
> -
> >>>>>> IETF IPv6 working group mailing list
> >>>>>> ipv6@ietf.org
> >>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >>>>>> -------------------------------------------------------------------
> -
> >>>>>
> >>>>>
> >>>>> --------------------------------------------------------------------
> >>>>> IETF IPv6 working group mailing list
> >>>>> ipv6@ietf.org
> >>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >>>>> --------------------------------------------------------------------
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> SY, Jen Linkova aka Furry
> >>>>
> >>>> --------------------------------------------------------------------
> >>>> IETF IPv6 working group mailing list
> >>>> ipv6@ietf.org
> >>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >>>> --------------------------------------------------------------------
> >>
> >>
> >>
> >> --
> >> SY, Jen Linkova aka Furry