IETF Logo Mail Archive

Re: NAT64 in RA, draft-ietf-6man-ra-pref64

Lorenzo Colitti <lorenzo@google.com> Tue, 02 July 2019 12:51 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C9571206DD for <ipv6@ietfa.amsl.com>; Tue, 2 Jul 2019 05:51:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DyhNofMNaF0H for <ipv6@ietfa.amsl.com>; Tue, 2 Jul 2019 05:51:06 -0700 (PDT)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D22191200B7 for <6man@ietf.org>; Tue, 2 Jul 2019 05:51:05 -0700 (PDT)
Received: by mail-wr1-x42a.google.com with SMTP id e3so8142989wrs.11 for <6man@ietf.org>; Tue, 02 Jul 2019 05:51:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=krzIy+MsNpisudbessM3/hQDYVxw7/Udvajzh2U7gFU=; b=l9R68ckoDYSpv4fWAbFWEGayInEK8RWvEojqAQHvS7WOH/8MfOj1msifsZqVSjqj2z PnhhY/8hmlelg6AYPB4ZL7UUJKDCgPEX65L1I64lpVS7lPEsqzhplpid+KcJPqQDnDqY qCos0+kINhAxYGHQ5ZvXHsTpTWcGnG3NpAZPsdFTHHDdz7+O6qMUenJ+Zb+p/fgIr2Wv GH/WCqV/1G4IR9iLiaeDg+jbSIRRT20+b5KVym7fnJaZHYuY3Dgd80Es4U0g/8kYPKyI TNYcbQVm2q5/atKHQEtF/GTdABpS/bIHv8klvVsRxIjmBHhxQ1tkFC1OaeISkBqAQIXq DZNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=krzIy+MsNpisudbessM3/hQDYVxw7/Udvajzh2U7gFU=; b=cxEuBl9c4Y2k/w9hNZhFZfEA9DDwbnkoC0NYjDipffXVeieQ0XSSZaRJZnxpjfwmCM TMynWWhEeiwFI21LxsF2BmW7Gjgsa2d6Wxg6kj2nTvm/aJqif5OiTdy5XnNpy3uPuaR1 sqmm1+a+QSpnj5g52XTse9Ef/J3L+QpZbAceHpuG2vXdZvnpgKV73FG54DxeHkrot3bx dFb6HtoUtWUk8vx8z16u794AsY5l1IY9E9pOaqGXecPlZtGMNRvfdVV9SkGVmLL4AXJY TxdUAPqkKvp2UgW7bQCB8vuERcXAOrBuHJlXHq64Iogz4ZugDC4w9U529YEjflh0mykA MZjA==
X-Gm-Message-State: APjAAAWT6jtGM9zeiwY/2qB/N6TFmgRzjCCFDoaex1Qmvn0cXWdPm1SW IKPhlfkVg9yYkkC+sO4mqgyZM4o60u9/7nIZ4LQ8rw==
X-Google-Smtp-Source: APXvYqyYAo6aV68TTzfVtXBbxlnucgUj2MdUJ2TXcU9DxAe0qHcAEK0cV8szCQyEu4as3cy4FV3EqwSDjjHVejXunOE=
X-Received: by 2002:adf:8183:: with SMTP id 3mr23875406wra.181.1562071864104; Tue, 02 Jul 2019 05:51:04 -0700 (PDT)
MIME-Version: 1.0
References: <12187.1558972629@localhost> <D3C7EB41-02E8-48D6-9335-26A041FD64C2@isc.org> <00C00FE5-C7CD-4B99-A2C9-CCBFCB1E4850@isc.org> <CAFU7BASfJ4YS6xBzK8hNJRSMnFZmdn3VE5A=sPCC3JqRa8SQEQ@mail.gmail.com> <EC63A89D-26CD-4093-8814-4461B6D3D327@isc.org> <CAFU7BASsAwitEc==Zj6qT4izy-tFosg23DHXFVVzOixidEfMFA@mail.gmail.com> <CAKD1Yr3jDTS25ERGZYDDM9yRRTxEfY4Ltcd-QgFNor6ze2G7xA@mail.gmail.com> <6053.1561748461@localhost> <CAFU7BAR9kmnk3Q9aOpsqGFVRZkiRXb0FkZjMXWG2gN0-o1MjGw@mail.gmail.com> <0167874A-F2B4-434A-B674-792FE3AD0E2D@gmail.com> <CAFU7BAT2zw2+EnLW_MZnj2L9RBwH2DyStgRUbaY6bCZLuJwG9g@mail.gmail.com> <CAKD1Yr2mzeVzXFmzh3N21MCr-sg1xJ9D67TPqvEd9YffCrzdqA@mail.gmail.com> <CAN-Dau3qMAH0KAfahjFgN2-mMttmwpM4wEt4vypAxZcvUXB=gQ@mail.gmail.com>
In-Reply-To: <CAN-Dau3qMAH0KAfahjFgN2-mMttmwpM4wEt4vypAxZcvUXB=gQ@mail.gmail.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Tue, 02 Jul 2019 21:50:49 +0900
Message-ID: <CAKD1Yr3tm==UMQmuiO5EGv=YM1a0VxPa_5_0ywQQrouPo4SgCQ@mail.gmail.com>
Subject: Re: NAT64 in RA, draft-ietf-6man-ra-pref64
To: David Farmer <farmer@umn.edu>
Cc: Jen Linkova <furry13@gmail.com>, 6man <6man@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009339a9058cb23279"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/RrlUfvvdauZYqoolLkE34ZqnZYk>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 12:51:19 -0000

On Tue, Jul 2, 2019 at 9:09 PM David Farmer <farmer@umn.edu> wrote:

> Right. That was the gist of my earlier comment. I believe we all agree
>> that in the most common deployment scenario (i.e., an IPv6-only host with
>> no IPv4), an exclusion list is not useful, because the host really can't
>> reach anything that's not reachable via IPv6.
>>
>
> I mostly agree, but there is a scenario I've been thinking about;
>
> What if the network operator doesn't want RFC1918 and RFC 6598 IPv4
> addresses synthesized at all? I suppose the NAT64 function could block
> these addresses. However, for a large enough population that could be a lot
> of useless traffic going to the NAT64 function. While on the other hand
> some network operators, especially enterprise operators, will probably want
> these addresses synthesized.
>

Hmm... but why will hosts want to send traffic to those addresses? Hosts
(especially IPv6-only hosts) won't just arbitrarily decide to connect to
RFC1918 addresses of their own accord. They will only do that if there is a
reason to do so - for example, if there is an A record in the DNS pointing
at such addresses. But why would the network operator publish A records in
the DNS for IP addresses that it intentionally wants to make unreachable
from some hosts? What is the reason for doing so compared to obvious
alternatives such as a) don't publish said A records, or b) publish said A
records together with corresponding AAAA records?

Also, this problem already exists today in IPv4. Any IPv4-only or
dual-stack host asked to connect to an RFC1918 address will send packets to
it, regardless of whether the address is reachable and of whether it's in
the same NAT domain as the host. For example, applications using STUN, such
as video chat applications, will often try all addresses advertised by the
remote host, even in the common case that the remote host is in a different
NAT domain (e.g. video chat between two residential users each of whom is
behind their own NAT).

Now a complicated APL capability isn't probably needed to handle this, a
> simple one-bit option flag or two would suffice, I believe.
>

In the common case of a /96 prefix I don't think there are any bits left in
the current packet format without increasing the size of the option from 16
to 24 bytes.

>

v2.23.0 | Report a Bug | By Email