Re: IPv6 only host NAT64 requirements?

Ca By <> Mon, 13 November 2017 03:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 873BE126DCA for <>; Sun, 12 Nov 2017 19:32:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0YNaFjMa55SQ for <>; Sun, 12 Nov 2017 19:32:33 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A933E126E64 for <>; Sun, 12 Nov 2017 19:32:33 -0800 (PST)
Received: by with SMTP id k191so3965036ywe.1 for <>; Sun, 12 Nov 2017 19:32:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2JlD0LdPUFMoCpv97Kzyqd3bAaJRc/0kvJYTy2twZYg=; b=KrdyovwwD0oexH+4pGu/ELTyyYBdtlo1XddoKenp7NNx3TubpaD/miLSuuTiqvXVms wBVzqzg3wLMpVRMuUqIsqWggqTPgcvQxCg4IKF5e/aptWbV83PPlcGK/HOPnn173uctR S143VYSOLI7v81MFwPrOhUCwtPDG+jWM2mmt9WBkx2QQnvDEsCGqBT16Aqw+vV611K4u Wssh7RV4+TeEpfBEUjaKotjj601xdJ+nd0EDYzYM7IEtMx6R50lWTqX59unpTDt97uBN 28S+Yry3Cydz1s4mtBXooAyNDeY5CuGOi/B6Y/O1a0vvOCXEX5M2Bc5NQ1sw/KbE7e5/ exXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2JlD0LdPUFMoCpv97Kzyqd3bAaJRc/0kvJYTy2twZYg=; b=kKpm8kVagZtuKn8o0lkExg+aRBvvKAoVOGZ+qjc+4XLyP2R36hHNKgVAsJqn+lNgCC tyajK+Um6MDo84TwgxDUbAHJdIbNNQMTNbh1Cnsb4BBoLDbWPWQyPvnWcsgpN424bFfZ ZZQ4FXGZUXgzFsy38hpo/VCRPxuafBzBhVmiDrqEIamTo/tAg8R1vTR/pHAiRYPKfq1U otd1zshIZANAJf5FKJS1qo7M7XES6KsVKvqyAg05giGMOm2J0vDvXPyMIY+D0EXMsB8s oa+n+4muFUVcDxZIEFA180nW5M53gsXrwISHGrUgjw8AW2dQrwFlizXUAG+FZWloAES6 Mmnw==
X-Gm-Message-State: AJaThX43srbOSyIJyvurAZW4g8u5Tcw2YlprcJdZiVVYbaVusjOvuWty T+ZeuuCaUR4NPhppPPujg+nImFfRX2jN7l/y9VI=
X-Google-Smtp-Source: AGs4zMa5Qu4r0uuki/BqZkQ36WBXpB4P1tsuTLsHVBPpDDuZckrS2qw5L1TaYHDY6yS9wuTSHAx1iAJOnXNEN8k+Yw8=
X-Received: by with SMTP id b66mr5112108ywd.336.1510543952910; Sun, 12 Nov 2017 19:32:32 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Ca By <>
Date: Mon, 13 Nov 2017 03:32:22 +0000
Message-ID: <>
Subject: Re: IPv6 only host NAT64 requirements?
To: Ole Troan <>
Cc: 6man WG <>
Content-Type: multipart/alternative; boundary="001a114edf34bb21ff055dd4eba7"
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Nov 2017 03:32:35 -0000

On Sun, Nov 12, 2017 at 6:51 PM Ole Troan <> wrote:

> At the hackathon there was quite a bit of testing of IPv6 only hosts with
> access to the IPv4 network via a NAT64.
> While many applications work well on a classic IPv6 only host, there are a
> few things required to make all applications work.
> - Must be able to do NAT64 prefix discovery (RFC6052)
> - Synthesise IPv6 address from an IPv4 literal (RFC7050)
> This is to be able to deal with IPv4 address literals. Which are common in
> protocols like SIP/ICE/STUN.
> These can be implemented directly in applications, or it can be
> implemented in the host stack (although application might still have to
> change).
> - Should do local DNS64 to support DNSSEC (RFC6147)(if you do validation).
> A DNS64 service in the network looks like a man in the middle attack, so
> to support DNSSEC, validation should happen before synthesizing, and must
> be done on the host itself.
> If this is the direction we want to go. Encourage IPv6 only host
> deployments (as opposed to dual stack hosts), are these requirements we'd
> like to add to the IPv6 node requirements document? Somewhere else?

I am not optimistic on the demand / need / value of dnssec in any scenario
....let alone an ipv6-only host validating an ipv4-only dns name. If the
folks operating this service cared, they could operate the server with
signed v6 names.  It is more reasonable in todays internet to asked the
server (lets assume most signed name scenarios are servers) to be setup
right (with v6). There is not a compelling reason why having v6 is
unattainable today for named nodes.

With 20 years of experience with ipsec as an ipv6 node requirement, i think
it is safe to say the IETF foisting requirents into the network layer has
caused more confusion (ipv6 is more secure because everything has ipsec!)
and hacks (ospfv3 ...) than actual true security benefit.

> Best regards,
> Ole
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> Administrative Requests:
> --------------------------------------------------------------------