Re: IPv6 only host NAT64 requirements?

Jen Linkova <furry13@gmail.com> Fri, 17 November 2017 08:30 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74AA2129432 for <ipv6@ietfa.amsl.com>; Fri, 17 Nov 2017 00:30:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yXvGfQB2UcN3 for <ipv6@ietfa.amsl.com>; Fri, 17 Nov 2017 00:30:56 -0800 (PST)
Received: from mail-lf0-x236.google.com (mail-lf0-x236.google.com [IPv6:2a00:1450:4010:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22422129417 for <ipv6@ietf.org>; Fri, 17 Nov 2017 00:30:56 -0800 (PST)
Received: by mail-lf0-x236.google.com with SMTP id k66so1789898lfg.3 for <ipv6@ietf.org>; Fri, 17 Nov 2017 00:30:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=BNYtrpv0ATdnHigbWFjkEXkVBgimfjkRw2/0D4lPLlQ=; b=k7kpHedtHMnHiIt8Jklcaw3KWY+Mat/3mFjIUkQqSTu+gBdWey0LI3WNHgJTdvOJdE SmkMH88jq/52u/NR/bo/QRjzYxPg3p7nycG0gz9ILJM69ga11WE+9qgAdjnyw5S+Fxob XQGxRrWBhBNwtTDz57vyGKx0WHJt1E7YHy2NtuWvuskl0IflDxyAzDYbILaos6lYuR1G SNM2hBWqDDbSvdVs3fyMUq1if2KSyUD2f9gdeFRIuOg1uIMOucKYN8iKRv2YRbU0vtzf uQDM16nCWn98btvDFAXDUfuAs9hb6oQ0F33fiW7Lpp89JS8BYlv+K/VHTTNvYuC56Rd7 8jJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=BNYtrpv0ATdnHigbWFjkEXkVBgimfjkRw2/0D4lPLlQ=; b=mYW75EvyU7L3OlbWtgGYqLNcg8viJpSKWcyp7bQwGrSExGJeoRrKR7OakyjfijC335 m7u/phviQ9nkkBFpYzxKmrd50PWxPS0isp4CBar9DGNaezJwQwGllTLnEYMRVRcO6IV5 5Rqe28Pqa42BOY3ueKi6pOZSgzOOvAFsAj6chrFXyHWPRAY9RdoYyOP1e+0cVHKe1oyg vWpFgMf5KHx09/8qXhTeMJTy1kRJmfHL0Pqpb+ZsbaUSCLT3dzzHmTBtHdArupBFXV3/ HvDNm6HDCM3b9CQbbUz4dnUQrE8nnCMirKgtCAxQjC0F3YZjIw3fm6xIeRf81NxzM46q S4UQ==
X-Gm-Message-State: AJaThX4h6EsnKLqCM8QJdKrUvtqgRRjEfVtMZWlxmos/W+v57IbMCPhd nhtOCeG+JAaB1/GBqFqrmv3ifUpHOhjikef+8G4=
X-Google-Smtp-Source: AGs4zMZHd4YQsUmchC/wuiYnsFAWGeBPCmaPoYX+u6a6WamxNtdfjZhwMasL0uxqE9i7lRxYbthVX/WM6BUKrq2BENI=
X-Received: by 10.46.68.195 with SMTP id b64mr424628ljf.121.1510907454267; Fri, 17 Nov 2017 00:30:54 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.205.2 with HTTP; Fri, 17 Nov 2017 00:30:33 -0800 (PST)
In-Reply-To: <787AE7BB302AE849A7480A190F8B93300A07AD68@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <m1eEGbJ-0000EhC@stereo.hq.phicoh.net> <D43E103C-27B8-48CF-B801-ACCF9B42533E@employees.org> <m1eEHPS-0000FyC@stereo.hq.phicoh.net> <59B0BEC0-D791-4D75-906C-84C5E423291B@employees.org> <m1eEIGX-0000FjC@stereo.hq.phicoh.net> <73231F8D-498E-4C77-8DA8-044365368FC9@isc.org> <CAKD1Yr1aFwF_qZVp5HbRbKzcOGqn==MRe_ewaA8Qc8t3+CVu_Q@mail.gmail.com> <44A862B7-7182-4B3A-B46E-73065FC4D852@isc.org> <D42D8D7A-6D19-4862-9BB3-4913058A83B6@employees.org> <CAFU7BARCLq9eznccEtkdnKPAtKNT7Mf1bW0uZByPvxtiSrv6EQ@mail.gmail.com> <787AE7BB302AE849A7480A190F8B93300A07AD68@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
From: Jen Linkova <furry13@gmail.com>
Date: Fri, 17 Nov 2017 19:30:33 +1100
Message-ID: <CAFU7BARoXgodiTJfTGc1dUfQ8-ER_r8UOE1c3h-+G0KTeCgBew@mail.gmail.com>
Subject: Re: IPv6 only host NAT64 requirements?
To: Mohamed Boucadair <mohamed.boucadair@orange.com>
Cc: Ole Troan <otroan@employees.org>, 6man WG <ipv6@ietf.org>, Mark Andrews <marka@isc.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/hUqPEz9v-_fLfMtTpy-3TaREI00>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 08:30:59 -0000

On Thu, Nov 16, 2017 at 12:35 AM,  <mohamed.boucadair@orange.com> wrote:
>> IMHO the optimal solution is:
>> - the network SHOULD provide a host with NAT64 prefix information in
>> RA (I do not believe that information needs to be duplicated in DHCP
>> at all);
>
> [Med] Please check: https://tools.ietf.org/html/rfc7051#section-5.7.3

Thanks for pointing this out. To be honest I disagree with what that
section says.
I'm trying to refrain from participating  'SLAAC vs DHCPv6' so I will
not mention all those issues with multihoming for example but....
If you are saying that the prefix should not be distributed via RAs
because it needs to be configured on routers, then what about DNS
servers and SLAAC prefixes themselves?
There are SLAAC-only networks out there while RFC7934 does not
recommend DHCPv6 as the only way to configure clients.
So between those two RA does look like a better way.

> Things may get complex if multiple NSPs are used for load-balancing or if destination based NAT64s are deployed. A list of issues is elaborated in https://tools.ietf.org/html/rfc7225#section-3.1

It's more like v6ops question but I'm really curious if multiple
prefixes scenario is real.
RA option might contain multiple prefixes anyway.

>> >> On 15 Nov 2017, at 08:06, Mark Andrews <marka@isc.org> wrote:
>> >>
>> >>
>> >>> On 15 Nov 2017, at 3:40 am, Lorenzo Colitti <lorenzo@google.com>
>> wrote:
>> >>>
>> >>> On Tue, Nov 14, 2017 at 6:46 AM, Mark Andrews <marka@isc.org> wrote:
>> >>> Is there any reason to run DNS64 at all these days?  ipv4only.arpa can
>> be a preconfigured
>> >>> zone which allows CLAT to get its mapping.  All the phones have CLAT
>> support.
>> >>>
>> >>> That's an interesting idea. It would work in theory, but such a
>> network would completely break devices that don't support 464xlat. That
>> gives up one of the major advantages of NAT64/DNS64, which is that it's a
>> 90% solution even just by itself - yes, IPv4-only applications and address
>> literals exist, but most simple client/server applications Just Work
>> behind it.
>> >>
>> >> And that 90% “solution” has lots of down sides.  It basically requires
>> EVERY DNS VALIDATOR ON
>> >> THE PLANET TO SUPPORT DNS64 JUST IN CASE IT IS USED BEHIND A DNS64
>> SERVER.
>> >>
>> >> DNS64/NAT64 was presented as NOT REQUIRING node changes when first
>> mooted.  It keeps on
>> >> requiring more and more highly invasive node changes to support.  It
>> was from the very beginning
>> >> bad engineering.   To get IPv4 as a service some node changes are
>> required.  Lets make sure they
>> >> are MINIMAL ones.
>> >>
>> >> Just for the record DNSSEC validators need to send BOTH CD=0 and CD=1
>> queries to get answers
>> >> though a upstream VALIDATING server which includes a VALIDATING DNS64
>> server as CD=0 and
>> >> CD=1 address different DNSSEC threats.  I tried very hard to point that
>> out when RFC 6147 was
>> >> being written but the working group decide that CD indicated whether
>> the client was validating or
>> >> not.  There is NO SUCH INDICATION in a DNS message.
>> >>
>> >>  If a query arrives at a vDNS64 device with the "Checking Disabled"
>> >>   (CD) bit set, it is an indication that the querying agent wants all
>> >>   the validation data so it can do checking itself.  By local policy,
>> >>   vDNS64 could still validate, but it must return all data to the
>> >>   querying agent anyway.
>> >>
>> >> CD=0 queries causes the upstream validating servers to reject incoming
>> spoofed answers
>> >> or stale answers (this is a common operational problem).
>> >>
>> >> CD=1 queries allow the validation to succeed when the upstream
>> validator has a bad trust
>> >> anchor or a bad clock which is rejecting legitimate answers.
>> >>
>> >> A validating client can’t just send CD=1 queries as the upstream
>> validator doesn’t kick in.
>> >> The upstream validator can lock onto a stale answer source.  It needs
>> to send CD=0 queries
>> >> on validation failure to force the upstream validator to try multiple
>> sources.
>> >>
>> >> A validating client can’t just send CD=0.  It needs to send CD=1 on
>> SERVFAIL in case the
>> >> upstream validator has a bad trust anchor (likely with the upcoming
>> root KSK roll) or has
>> >> a bad clock (these usually get fixed fast).
>> >>
>> >> Now to get a answer from a signed zone with servers with stale answers
>> a validatiing DNS64 client
>> >> needs to send:
>> >>
>> >> a) send CD=1 and validation failure send CD=0 then on AAAA validation
>> failure send CD=1 and
>> >>    hope the TTL was not 0 and that is not cachable and there is no
>> assurance that you won’t get
>> >>    a answer from a stale source.
>> >>
>> >>       or
>> >>
>> >> b) send CD=0 and on validation failure of the AAAA send CD=1 and hope
>> the TTL was not 0 as
>> >>    that is not cachable and there is no assurance that you won’t get a
>> answer from a stale source.
>> >>
>> >> TTL=0 answers exist.
>> >>
>> >> Note none of this is documented in a RFC.  You have to understand how
>> both DNSSEC and DNS64 work to
>> >> realise this.
>> >>
>> >> IPV4ONLY.ARPA is currently has a secure delegation which breaks prefix
>> discover for DNS VALIDATORS.
>> >> Note “ad” is set in the flags.  Yes, I’ve submitted a errata.  Yes,
>> I’ve opened a ticket to get it fixed but
>> >> based on past experience that could take months if it happens at all.
>> You will note that the recursive
>> >> server is running on the loopback interface so all DNS answers are
>> being validated here.
>> >>
>> >> [rock:bind9/bin/named] marka% dig IPV4ONLY.ARPA
>> >> ;; BADCOOKIE, retrying.
>> >>
>> >> ; <<>> DiG 9.12.0b2+hotspot+add-prefetch+marka <<>> IPV4ONLY.ARPA
>> >> ;; global options: +cmd
>> >> ;; Got answer:
>> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8504
>> >> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>> >>
>> >> ;; OPT PSEUDOSECTION:
>> >> ; EDNS: version: 0, flags:; udp: 4096
>> >> ; COOKIE: 7dbf8beb79be47a09eb5313d5a0b776f4fae3aa6931d9583 (good)
>> >> ;; QUESTION SECTION:
>> >> ;IPV4ONLY.ARPA.                       IN      A
>> >>
>> >> ;; ANSWER SECTION:
>> >> ipv4only.arpa.                26574   IN      A       192.0.0.171
>> >> ipv4only.arpa.                26574   IN      A       192.0.0.170
>> >>
>> >> ;; Query time: 0 msec
>> >> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> >> ;; WHEN: Wed Nov 15 10:08:31 AEDT 2017
>> >> ;; MSG SIZE  rcvd: 115
>> >>
>> >> [rock:bind9/bin/named] marka%
>> >>
>> >>> It's not true that all phones have clat support. Notably, Apple not
>> only does not support it but appears ideologically opposed to it on the
>> grounds that it does not have a good exit strategy (because it makes it
>> possible to run IPv4-only apps forever).
>> >>
>> >>
>> >> --
>> >> Mark Andrews, ISC
>> >> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> >> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>> >>
>> >> --------------------------------------------------------------------
>> >> IETF IPv6 working group mailing list
>> >> ipv6@ietf.org
>> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> >> --------------------------------------------------------------------
>> >
>> >
>> > --------------------------------------------------------------------
>> > IETF IPv6 working group mailing list
>> > ipv6@ietf.org
>> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> > --------------------------------------------------------------------
>> >
>>
>>
>>
>> --
>> SY, Jen Linkova aka Furry
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6@ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------



-- 
SY, Jen Linkova aka Furry