Re: IPv6 only host NAT64 requirements?
Ca By <cb.list6@gmail.com> Wed, 15 November 2017 02:34 UTC
Return-Path: <cb.list6@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AAA4129477 for <ipv6@ietfa.amsl.com>; Tue, 14 Nov 2017 18:34:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jcQdPkYLDhjW for <ipv6@ietfa.amsl.com>; Tue, 14 Nov 2017 18:34:52 -0800 (PST)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D9E9120724 for <ipv6@ietf.org>; Tue, 14 Nov 2017 18:34:52 -0800 (PST)
Received: by mail-yw0-x22d.google.com with SMTP id j198so1479676ywg.9 for <ipv6@ietf.org>; Tue, 14 Nov 2017 18:34:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NihYYYo1DwtFxVAm/FJNQ+nPdtEBmbE19WT8cgYB2wg=; b=GQQgAI//+u6bAVHqFalohIOTax45u1x18+sAjwPW91BPGXtsyEVerHRnt2oR2CbAvp 1JclL+PTfp6rJ2MIFQRZXIWj/RUkHMAqgN3V5ChDNsVfq0xG5AncwrTb7I6Qm7cphacF YB4gAJGkXnhzRSIRm1+HiRpBxFkdMDZj5p1kO2K0APImYqx2iKc2H2Rw6qV9WCJ8w1JX GPBpPVxKhyq3TxcqJx5yp+igUC3s/FQR3CPZjFOfMZaCj1219uy735P8wfQbc8FO1vhn 52PLbZ1xcHqYDjxbaI5Km4JXZCT1I3vyEVcwT8hLGUMG0ZBBrwIKu6zcUl+Dadjy7vip h7jA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NihYYYo1DwtFxVAm/FJNQ+nPdtEBmbE19WT8cgYB2wg=; b=TmdnlLtgYBh2N+gp49662IAYPbA+WRvkkZvAo+OtxLsaZsblngfSrMpLO2szy1ZXv8 Tw5myT+wgRfsVApty4Ytb+eRRx1GtE6KNOM1cuQp6FiR1LeDI3jxqrsoXEbrEa5nVRx0 RVent4eMynO7N8KI8+YsSoj+moPIFf8yfpxx3FN+3uwP6i+ERIL0oxcdb5evwjy5GZ2k GwUNKYYK44GwhURCl/nQvDMu/px1QccCbe+Jt5NM1dRTcm4fksmrFNOMXG+rIFJ6MKiG lYNFdxxglABIOqTJFdWXW/OcSBGnHAGG51jtg37O8a0XUXMNnkyUT0lkBjyWPU2jsbnt QYfA==
X-Gm-Message-State: AJaThX6r5eVNrCGWn+ZV9SgyCews36KFvrFKyjIGXamgfjc3AiohD0bK zXLz/CZpEYbF+6+FxyYJR+tOEpwCxWZY4IKp4sM=
X-Google-Smtp-Source: AGs4zMat60dPMMOXyCwFk513WXaRgU90wzK6LGSfIGz7ow8ptM7xxySTHvsFNFy+NxQoFI8HDATzca6SPrHDrsWKp3k=
X-Received: by 10.37.20.193 with SMTP id 184mr8436636ybu.400.1510713291616; Tue, 14 Nov 2017 18:34:51 -0800 (PST)
MIME-Version: 1.0
References: <m1eEGbJ-0000EhC@stereo.hq.phicoh.net> <D43E103C-27B8-48CF-B801-ACCF9B42533E@employees.org> <m1eEHPS-0000FyC@stereo.hq.phicoh.net> <59B0BEC0-D791-4D75-906C-84C5E423291B@employees.org> <m1eEIGX-0000FjC@stereo.hq.phicoh.net> <73231F8D-498E-4C77-8DA8-044365368FC9@isc.org> <CAKD1Yr1aFwF_qZVp5HbRbKzcOGqn==MRe_ewaA8Qc8t3+CVu_Q@mail.gmail.com> <44A862B7-7182-4B3A-B46E-73065FC4D852@isc.org> <D42D8D7A-6D19-4862-9BB3-4913058A83B6@employees.org>
In-Reply-To: <D42D8D7A-6D19-4862-9BB3-4913058A83B6@employees.org>
From: Ca By <cb.list6@gmail.com>
Date: Wed, 15 Nov 2017 02:34:40 +0000
Message-ID: <CAD6AjGT0mhH8HBdM-0bZNi1_c0Nhc-KpN5pjqL1H3fOt5AQ=EA@mail.gmail.com>
Subject: Re: IPv6 only host NAT64 requirements?
To: Ole Troan <otroan@employees.org>
Cc: 6man WG <ipv6@ietf.org>, Mark Andrews <marka@isc.org>
Content-Type: multipart/alternative; boundary="001a113e72b61ab88a055dfc5969"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/ZhMlnWDtw3l8iISPRKNllB35rd0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Nov 2017 02:34:55 -0000
On Tue, Nov 14, 2017 at 6:08 PM Ole Troan <otroan@employees.org> wrote: > Mark, > > Thanks for doing the analysis of this. It will take me some time to digest. > > If I may try to suggest a solution based on what you are saying: > > - Remove (external) DNS64 from the solution > - Replace NAT64 prefix discovery with some sort of local configuration. > e.g. put it in DHCP or RA > > Which has the implications that: > - host learns NAT64 prefix via RA/DHCP > - host is free to use whatever DNS recursive resolvers (instead of the > must be local (and on correct interface where the NAT64 is) resolver > - host synthesises addresses itself. And does validation before > synthesising (if that's required). > > Is this the solution you would be looking for? > > And yes, you need host changes. But we need that anyway. > Or your peer node could deploy ipv6 and be done with all these transition nonsense. As has been reported in elsewhere, docsis and 3gpp networks see 50+ and 70+% of their bits moved to ipv6. The problem size is waning quickly, especially on modern OS > Cheers, > Ole > > > > > > On 15 Nov 2017, at 08:06, Mark Andrews <marka@isc.org> wrote: > > > > > >> On 15 Nov 2017, at 3:40 am, Lorenzo Colitti <lorenzo@google.com> wrote: > >> > >> On Tue, Nov 14, 2017 at 6:46 AM, Mark Andrews <marka@isc.org> wrote: > >> Is there any reason to run DNS64 at all these days? ipv4only.arpa can > be a preconfigured > >> zone which allows CLAT to get its mapping. All the phones have CLAT > support. > >> > >> That's an interesting idea. It would work in theory, but such a network > would completely break devices that don't support 464xlat. That gives up > one of the major advantages of NAT64/DNS64, which is that it's a 90% > solution even just by itself - yes, IPv4-only applications and address > literals exist, but most simple client/server applications Just Work behind > it. > > > > And that 90% “solution” has lots of down sides. It basically requires > EVERY DNS VALIDATOR ON > > THE PLANET TO SUPPORT DNS64 JUST IN CASE IT IS USED BEHIND A DNS64 > SERVER. > > > > DNS64/NAT64 was presented as NOT REQUIRING node changes when first > mooted. It keeps on > > requiring more and more highly invasive node changes to support. It was > from the very beginning > > bad engineering. To get IPv4 as a service some node changes are > required. Lets make sure they > > are MINIMAL ones. > > > > Just for the record DNSSEC validators need to send BOTH CD=0 and CD=1 > queries to get answers > > though a upstream VALIDATING server which includes a VALIDATING DNS64 > server as CD=0 and > > CD=1 address different DNSSEC threats. I tried very hard to point that > out when RFC 6147 was > > being written but the working group decide that CD indicated whether the > client was validating or > > not. There is NO SUCH INDICATION in a DNS message. > > > > If a query arrives at a vDNS64 device with the "Checking Disabled" > > (CD) bit set, it is an indication that the querying agent wants all > > the validation data so it can do checking itself. By local policy, > > vDNS64 could still validate, but it must return all data to the > > querying agent anyway. > > > > CD=0 queries causes the upstream validating servers to reject incoming > spoofed answers > > or stale answers (this is a common operational problem). > > > > CD=1 queries allow the validation to succeed when the upstream validator > has a bad trust > > anchor or a bad clock which is rejecting legitimate answers. > > > > A validating client can’t just send CD=1 queries as the upstream > validator doesn’t kick in. > > The upstream validator can lock onto a stale answer source. It needs to > send CD=0 queries > > on validation failure to force the upstream validator to try multiple > sources. > > > > A validating client can’t just send CD=0. It needs to send CD=1 on > SERVFAIL in case the > > upstream validator has a bad trust anchor (likely with the upcoming root > KSK roll) or has > > a bad clock (these usually get fixed fast). > > > > Now to get a answer from a signed zone with servers with stale answers a > validatiing DNS64 client > > needs to send: > > > > a) send CD=1 and validation failure send CD=0 then on AAAA validation > failure send CD=1 and > > hope the TTL was not 0 and that is not cachable and there is no > assurance that you won’t get > > a answer from a stale source. > > > > or > > > > b) send CD=0 and on validation failure of the AAAA send CD=1 and hope > the TTL was not 0 as > > that is not cachable and there is no assurance that you won’t get a > answer from a stale source. > > > > TTL=0 answers exist. > > > > Note none of this is documented in a RFC. You have to understand how > both DNSSEC and DNS64 work to > > realise this. > > > > IPV4ONLY.ARPA is currently has a secure delegation which breaks prefix > discover for DNS VALIDATORS. > > Note “ad” is set in the flags. Yes, I’ve submitted a errata. Yes, I’ve > opened a ticket to get it fixed but > > based on past experience that could take months if it happens at all. > You will note that the recursive > > server is running on the loopback interface so all DNS answers are being > validated here. > > > > [rock:bind9/bin/named] marka% dig IPV4ONLY.ARPA > > ;; BADCOOKIE, retrying. > > > > ; <<>> DiG 9.12.0b2+hotspot+add-prefetch+marka <<>> IPV4ONLY.ARPA > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8504 > > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ; COOKIE: 7dbf8beb79be47a09eb5313d5a0b776f4fae3aa6931d9583 (good) > > ;; QUESTION SECTION: > > ;IPV4ONLY.ARPA. IN A > > > > ;; ANSWER SECTION: > > ipv4only.arpa. 26574 IN A 192.0.0.171 > > ipv4only.arpa. 26574 IN A 192.0.0.170 > > > > ;; Query time: 0 msec > > ;; SERVER: 127.0.0.1#53(127.0.0.1) > > ;; WHEN: Wed Nov 15 10:08:31 AEDT 2017 > > ;; MSG SIZE rcvd: 115 > > > > [rock:bind9/bin/named] marka% > > > >> It's not true that all phones have clat support. Notably, Apple not > only does not support it but appears ideologically opposed to it on the > grounds that it does not have a good exit strategy (because it makes it > possible to run IPv4-only apps forever). > > > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > > > > -------------------------------------------------------------------- > > IETF IPv6 working group mailing list > > ipv6@ietf.org > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > -------------------------------------------------------------------- > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
- IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Tim Chown
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Rajiv Asati (rajiva)
- Re: IPv6 only host NAT64 requirements? Tim Chown
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Lorenzo Colitti
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Ole Troan
- IPv4 only apps [was: IPv6 only host NAT64 require… Brian E Carpenter
- Re: IPv4 only apps [was: IPv6 only host NAT64 req… Ole Troan
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv4 only apps [was: IPv6 only host NAT64 req… Brian E Carpenter
- Re: IPv4 only apps [was: IPv6 only host NAT64 req… Ole Troan
- Re: IPv6 only host NAT64 requirements? Michael Richardson
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Philip Homburg
- Re: IPv6 only host NAT64 requirements? Michael Richardson
- Re: IPv6 only host NAT64 requirements? Lorenzo Colitti
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- Re: IPv6 only host NAT64 requirements? Erik Kline
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? james woodyatt
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? james woodyatt
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? james woodyatt
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? james woodyatt
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- PCP, and 6434bis (was Re: IPv6 only host NAT64 re… Tim Chown
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Ca By
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Tim Chown
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Ca By
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… james woodyatt
- Re: IPv6 only host NAT64 requirements? Michael Richardson
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Michael Richardson
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… james woodyatt
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Mark Andrews
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- Re: IPv6 only host NAT64 requirements? Fred Baker
- Re: IPv6 only host NAT64 requirements? Fred Baker
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Tim Chown
- Re: IPv6 only host NAT64 requirements? james woodyatt
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- Re: PCP, and 6434bis (was Re: IPv6 only host NAT6… Fernando Gont
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Mikael Abrahamsson
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? Simon Hobson
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Mikael Abrahamsson
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- Re: IPv6 only host NAT64 requirements? Mikael Abrahamsson
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Ole Troan
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- Re: IPv6 only host NAT64 requirements? Ole Troan
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Michael Richardson
- Re: IPv6 only host NAT64 requirements? Alexandre Petrescu
- Re: IPv6 only host NAT64 requirements? Ole Troan
- RE: IPv6 only host NAT64 requirements? mohamed.boucadair
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- RE: IPv6 only host NAT64 requirements? Manfredi, Albert E
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- RE: IPv6 only host NAT64 requirements? Manfredi, Albert E
- Re: IPv6 only host NAT64 requirements? Lee Howard
- Re: IPv6 only host NAT64 requirements? Lee Howard
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Ole Troan
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Mark Andrews
- RE: IPv6 only host NAT64 requirements? Masanobu Kawashima
- Re: IPv6 only host NAT64 requirements? Mikael Abrahamsson
- Re: IPv6 only host NAT64 requirements? Mikael Abrahamsson
- Re: IPv6 only host NAT64 requirements? Jen Linkova
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? Ola Thoresen
- Re: IPv6 only host NAT64 requirements? JORDI PALET MARTINEZ
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter
- Re: IPv6 only host NAT64 requirements? Alexandre Petrescu
- Re: IPv6 only host NAT64 requirements? Ca By
- Re: IPv6 only host NAT64 requirements? Brian E Carpenter