IETF Logo Mail Archive

Re: NAT64 in RA, draft-ietf-6man-ra-pref64

Jen Linkova <furry13@gmail.com> Mon, 01 July 2019 04:16 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E461D12019D for <ipv6@ietfa.amsl.com>; Sun, 30 Jun 2019 21:16:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OCn06XIPfad7 for <ipv6@ietfa.amsl.com>; Sun, 30 Jun 2019 21:16:21 -0700 (PDT)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FA3F1201F0 for <6man@ietf.org>; Sun, 30 Jun 2019 21:16:21 -0700 (PDT)
Received: by mail-qt1-x82a.google.com with SMTP id s15so13201793qtk.9 for <6man@ietf.org>; Sun, 30 Jun 2019 21:16:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=c2U2f34D4TSrg43KJYMF4Pz83jCoZYmgEZI77g4P9eY=; b=twtnTxozRzb4Gst6+EPIA6XiRfXTvRFM20ByFnCul4pV/fbTwYLo5edw8rrgEas5Na lauMmefHoW4UQyFYb2nfdP5Q08nzRXs3X3II5GaAMwBp6PChgXXpB1kq3Jwj9ezwgvt1 pcQBc6TVLsadXuvWAO/eKQYIxgUM46cBFcVHfDkQLnok8h7Rdf1YgM5fsZp1ylQZUS9+ 4aJl1FCrh8T9PJrkQi+PCAGXJwlrqIIwR1w/WZieO0iWAcXT7Z+Cayu8u0HHe+YZ4bPg 1RDqjZRlPAyWeM/etYAHJ47DmtQllJi4KwpJaWCsH0zY497ogEm2SFlztzGzZKnri8Kh WbIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=c2U2f34D4TSrg43KJYMF4Pz83jCoZYmgEZI77g4P9eY=; b=Mtt1z9c1milorX/aAVklYF1MrdSnlClJ8sPB2xiR4Ojkx9SHkz8+8mbAbjjGvUZ5mu QD1uP3NqmoXg4S/62zsfcfBsgGKf036pyvoXGCFnCeQj2+l/74W9Iuvw6dpuxlzPVuhH kNvnkthCnrjdFSj3t+Hv9xJQNHLII4e2H+SBJX5enGozy9QCjRJd0Y4Tb2Hu4MUgDFAc rBx7xm99pQVUy+9t+9CbdSqGOGqJEdnTT0m2ettRRxedbxysy7FGlItL7OmWVr4m3LeH QTRNCOO0yjw5cdCPw4B0/BDldU1ofSpihhCBBUPQ/mkGd8o8eWx1Ix9vNnXKo0cKkBKP FDwA==
X-Gm-Message-State: APjAAAWCZxrV2Z4273zGTPBrgPf15FOCb64jo49csGS9Ys4Hm5X6c/Se OziGc+d3XgYV4+YsPo7dIuPM5Wh5xCLU9iuDq8U=
X-Google-Smtp-Source: APXvYqzJfvyz1w3eKamviYU9gNMHBfb8vVMLVUnfsFf+bCuen3JjTftdhH+zelOeRgnpvLaJDISiTzvJx4XkKjOIkNY=
X-Received: by 2002:ac8:2e59:: with SMTP id s25mr18359270qta.94.1561954580188; Sun, 30 Jun 2019 21:16:20 -0700 (PDT)
MIME-Version: 1.0
References: <12187.1558972629@localhost> <D3C7EB41-02E8-48D6-9335-26A041FD64C2@isc.org> <00C00FE5-C7CD-4B99-A2C9-CCBFCB1E4850@isc.org> <CAFU7BASfJ4YS6xBzK8hNJRSMnFZmdn3VE5A=sPCC3JqRa8SQEQ@mail.gmail.com> <EC63A89D-26CD-4093-8814-4461B6D3D327@isc.org> <CAFU7BASsAwitEc==Zj6qT4izy-tFosg23DHXFVVzOixidEfMFA@mail.gmail.com> <6EC0FA5C-9B87-46A5-BD2D-93E2E2C85291@isc.org>
In-Reply-To: <6EC0FA5C-9B87-46A5-BD2D-93E2E2C85291@isc.org>
From: Jen Linkova <furry13@gmail.com>
Date: Mon, 01 Jul 2019 14:16:09 +1000
Message-ID: <CAFU7BAR53QO-ji04hHqsSEEsNznpLK3RQDAyadDt8D2Ue_Oqsw@mail.gmail.com>
Subject: Re: NAT64 in RA, draft-ietf-6man-ra-pref64
To: Mark Andrews <marka@isc.org>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, 6man <6man@ietf.org>, Lorenzo Colitti <lorenzo@google.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/DTVFGgejcMM4qEw69ttBpj1CZ8c>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2019 04:16:24 -0000

On Fri, Jun 28, 2019 at 3:06 PM Mark Andrews <marka@isc.org> wrote:
> > 1) do we really want to put DNS labels into the router configuration?
> > NAT64 prefix is smth which is defined and controlled by the routing
> > infrastructure, while this thing is totally different.
>
> Why not?  DNS labels go in DHCP configurations all the time. What’s the
> real difference?

I'd rather avoid it as it would be a nightmare to maintain.

> > 3) it would *only* work if the application using the APL is also using
> > the network-provided resolvers - and I can not see how it could be
> > guaranteed (== it would lead to rather non-obvious failure scenarios
> > and operational nightmares).
>
> No.  It just requires the OS to record the information where the application
> can fetch it.  This allows DNS64 processing to be done in getaddrinfo() and
> not in the DNS servers.

When you say 'the information' do you mean 'the APL name' or 'the
prefixes from that APL'?

> DNS64 servers are configured with exclusion lists today.  When you
> move DNS64 processing closer to the application, be it the CPE router, on node,
> or in app you still need those exclusion lists.  At a minimum you need to
> exclude ::ffff:0.0.0.0/96 to filter out the mapped addresses published in the
> DNS.  You also need to exclude the well know DNS64 prefix.  The list only grows
> from there.

Oh, so you do not just suggest to keep an list of IPv4 prefixes not to
translate, but also explicitly specifying a list of IPv6 addresses
which
should be ignored when checking for AAAA?
Well, I disagree that we need to maintain that list. If someone is
publishing in DNS IPv4-mapped, IPv6-compatible, Link-local,
Site-local, multicast or whatever crap you can imagine -
well, good luck. I do not think clients need to work around it.

> > Stupid question: why can not we reserve a well-known label (_dns64 ?)
> > and let the client to request APL in the domains from its search list?
>
> Because there is no requirement to publish a search list and if you are
> sane you ignore them.  Search list are also badly implemented the same
> unqualified name to match to different fully qualified names depending
> upon the query type in the request as search algorithms don’t stop on
> noerror/nodata and some don’t stop on servfail either.  There is a lot
> of history behind the behaviour.

OK, got it, thanks for the explanation.

>
> >>> On 27 Jun 2019, at 8:35 pm, Jen Linkova <furry13@gmail.com> wrote:
> >>>
> >>> Hi Mark,
> >>>
> >>> On Tue, May 28, 2019 at 6:39 AM Mark Andrews <marka@isc.org> wrote:
> >>>>
> >>>> The RA optionally includes the name of the APL record.  Inclusion is signalled by the option length.
> >>>
> >>> I'm working on then -01 version of the draft and while trying to
> >>> incorporate the suggestion you made at the microphone @IETF104, I've
> >>> realized I'm still confused.
> >>>
> >>> If I got it right, you are suggesting to use the option length to
> >>> indicate not just the prefix length, but the presence of the APL
> >>> record, right?
> >>> So how shall it look like?
> >>> Are you suggesting to use the Reserved bits to store the APL label length?
> >>>
> >>> Let's look at all possible scenarios:
> >>>
> >>> Scenario 1: /96 prefix, no APL.
> >>> The option length = 2, the option contains 96 bits of the prefix.
> >>>
> >>> Scenario 2: non-/96 prefix, no APL.
> >>> The option length = 3, the last 32 bits of the option contains 8 bits
> >>> of the prefix length + reserved bits.
> >>
> >>>
> >>> Scenario3: /96 prefix, APL name exists.
> >>> The option length is....well, I guess it would depend on the label
> >>> length, right? So 3 or more.
> >>> So the first 8 bits after the prefix length would be the APL label
> >>> length, then the APL (with padding to the 8 octets if needed).
> >>>
> >>> Scenario 4:  non-/96 prefix, APL name exists
> >>> The same as scenario 3.
> >>>
> >>> My concerns here are:
> >>> 1) we are making the option parsing quite complicated just to
> >>> accomodate a hypothetical use case of 'dual-stack network with NAT64';
> >>> I'm afraid it might slow down the deployment.
> >>
> >>> 2) the state machine is unclear to me:
> >>> - does the presence of the APL part mean that now the host MUST use
> >>> the DNS servers provided by the network to resolve the APL (remember,
> >>> one of the benefit of providing pref64 is ability to remove
> >>> dependencies on DNS64)? What if the host has DNS servers configured
> >>> manually? How could the client tell the difference?
> >>>
> >>> So far I'm still not convinced that it's worth doing (at least currently).
> >>> If anything, I'd say the APL information should be in RDNSS option as
> >>> it shares fate with the DNS.
> >>>
> >>> Or am I missing smth/misunderstood your suggestion?
> >>>
> >>>>> On 28 May 2019, at 06:29, Mark Andrews <marka@isc.org> wrote:
> >>>>>
> >>>>> You use  an APL record to define which addresses are mapped/excluded  (the difference is where the negations goes and whether you include the /0 entries at the end normally) on a first match basis.
> >>>>>
> >>>>> e.g.
> >>>>>
> >>>>> APL !1:10.0.0.0/8 1:0.0.0.0/0
> >>>>>
> >>>>> Not net 10 but everything else.
> >>>>>
> >>>>> TYPE42 \#9 00 01 08 81 0a 00 01 00 00
> >>>>>
> >>>>> The above is a mapping list not a exclude list.
> >>>>>
> >>>>> You can also encode the IPv6 prefixes you want to ignore when determining if you are doing.  This is useful for when you want to be IPv6 internally but don’t have external connectivity  or you only have partial IPv6 connectivity or for ignoring the results of a seperate DNS64 mapping.
> >>>>>
> >>>>> Both lists can be encoded in a single APL record. Also it is easy enough to encode the record in unknown record format by hand as the encoding is not hard to do.  See above.
> >>>>>
> >>>>> --
> >>>>> Mark Andrews
> >>>>>
> >>>>>> On 28 May 2019, at 01:57, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> >>>>>>
> >>>>>>
> >>>>>> I just watched the 6man recording on draft-ietf-6man-ra-pref64.
> >>>>>> I am very enthusiastic about having this progress, because it enables DNSSEC
> >>>>>> resolution to be done on the host.
> >>>>>> (We just have to find a way in CAPPORT to shame
> >>>>>>
> >>>>>> The document says:
> >>>>>>
> >>>>>> In a network that provides both IPv4 and NAT64, it may be desirable
> >>>>>> for certain IPv4 addresses not to be translated.  An example might be
> >>>>>> private address ranges that are local to the network and should not
> >>>>>> be reached through the NAT64.  This type of configuration cannot be
> >>>>>> conveyed to hosts using this option, or through other NAT64 prefix
> >>>>>> provisioning mechanisms such as [RFC7050] or [RFC7225].  This problem
> >>>>>> does not apply in IPv6-only networks, because in such networks, the
> >>>>>> host does not have an IPv4 address and cannot reach any IPv4
> >>>>>> destinations without the NAT64.
> >>>>>>
> >>>>>> And I guess I disagree with this in a subtle way, which Section 7
> >>>>>> (multihoming) tries to deal with.   Maybe you could write:
> >>>>>>
> >>>>>> In a provisioning domain that provides both IPv4 and NAT64, it may be desirable
> >>>>>> for certain IPv4 addresses not to be translated.  An example might be
> >>>>>> private address ranges that are local to the provisioning domain and should not
> >>>>>> be reached through the NAT64.  This type of configuration cannot be
> >>>>>> conveyed to hosts using this option, or through other NAT64 prefix
> >>>>>> provisioning mechanisms such as [RFC7050] or [RFC7225].  This problem
> >>>>>> does not apply to hosts that are provisioned in IPv6-only networks,
> >>>>>> because in such networks, the host does not have an IPv4 address and
> >>>>>> cannot reach any IPv4 destinations without the NAT64.
> >>>>>> Section 7 deals with the multihoming sitution more.
> >>>>>>
> >>>>>> ----
> >>>>>>
> >>>>>> The slides had some optional stuff which I think is gone from the document.
> >>>>>> Mark Andrews made some suggestions, which I did not understand what happened.
> >>>>>>
> >>>>>> --
> >>>>>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> >>>>>> -= IPv6 IoT consulting =-
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> --------------------------------------------------------------------
> >>>>>> IETF IPv6 working group mailing list
> >>>>>> ipv6@ietf.org
> >>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >>>>>> --------------------------------------------------------------------
> >>>>>
> >>>>> --------------------------------------------------------------------
> >>>>> IETF IPv6 working group mailing list
> >>>>> ipv6@ietf.org
> >>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >>>>> --------------------------------------------------------------------
> >>>>
> >>>> --------------------------------------------------------------------
> >>>> IETF IPv6 working group mailing list
> >>>> ipv6@ietf.org
> >>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >>>> --------------------------------------------------------------------
> >>>
> >>>
> >>>
> >>> --
> >>> SY, Jen Linkova aka Furry
> >>
> >> --
> >> Mark Andrews, ISC
> >> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> >> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
> >>
> >
> >
> > --
> > SY, Jen Linkova aka Furry
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>


-- 
SY, Jen Linkova aka Furry

v2.23.0 | Report a Bug | By Email