Re: IPv6 only host NAT64 requirements?

Fred Baker <fredbaker.ietf@gmail.com> Fri, 17 November 2017 08:38 UTC

Return-Path: <fredbaker.ietf@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38EAE129411 for <ipv6@ietfa.amsl.com>; Fri, 17 Nov 2017 00:38:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DBkmIMTPFeJg for <ipv6@ietfa.amsl.com>; Fri, 17 Nov 2017 00:38:09 -0800 (PST)
Received: from mail-pf0-x230.google.com (mail-pf0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 697261287A0 for <ipv6@ietf.org>; Fri, 17 Nov 2017 00:38:09 -0800 (PST)
Received: by mail-pf0-x230.google.com with SMTP id l24so1455123pfj.6 for <ipv6@ietf.org>; Fri, 17 Nov 2017 00:38:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pjoWuo5+/7nPfbV6izOrhs+jmW82By3frS5i5AguoSw=; b=rYozwLWSDLjWSBOyAkJNotfiUx8YKYqrv9yFqU1lpE4+IxzO7nnpxh9h9QMKG11kdM FUEE7T8VCVErDMVrvFYTYgy5M6p0lY3JItkKUSJ5zn+smJS7IuhWglowokIu5AhB0+sd 7kf+fp1ZSk02Cn0L47Z8KPpHNmQkNCegUy57MYdVnuN6oAtf2PXQzKq7gHWK/ojcax/P kNqW8k37/lWQUZ/0Aaj/qXRwrbLo6nAnuTNk63kbiIwxh7Ki4oVkaFOZywqB6RJbHeTL wBtiGI1j/Pxoaphb/dVNlYtgCFxqjqXx4m6ssUu3Urnmvz6NkpbwlkMbLduIIfmLyOPW csSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pjoWuo5+/7nPfbV6izOrhs+jmW82By3frS5i5AguoSw=; b=r2OoTemJzNJPZGQhRVsqplpb2xVv9UpfnyPT57UbgW9YXPKMrK8ojl1IUUwPyek5Hm K5HuQGcTofcErpyB5MD3e5swmHSObj8Yq/VMrqWySpmRaa5Htdo2opAcIVlp75VQVvsC x/gzaWjnKu4ijYS7T61idKuy9AJVC68gXXnyVeJcJxFxMsMoCaNnzwsDcMT4YANofITR AWEmA/QOjRaXYaZ2KxGMW2od4BEE3YFZJWVkAuxD1ArV0kAgPh/TL9SBqUk911eL653z uh0kCTnj4OROrFYTcBSCoqzqEu616JaJpTy3hXpHKY70YZM1TvS83C3UxjXqveJ7T0j9 LkQw==
X-Gm-Message-State: AJaThX5kH8JW+JYFczUDTTZr70DWQmovebFbZBtWNe16QSrVWdQfdcDZ B5mv4/ZOXt9JjEtwY5O4cPU=
X-Google-Smtp-Source: AGs4zMbUJEsTLgaWOYCUErrzIHeySeSIO7d8HzrjH12Z/eDiuqsv9WXknQsDXRBfsaLl51Bbg48cFQ==
X-Received: by 10.159.235.151 with SMTP id f23mr4608502plr.384.1510907888703; Fri, 17 Nov 2017 00:38:08 -0800 (PST)
Received: from [21.244.79.126] ([172.56.30.43]) by smtp.gmail.com with ESMTPSA id x1sm7396697pfh.113.2017.11.17.00.38.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Nov 2017 00:38:07 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (1.0)
Subject: Re: IPv6 only host NAT64 requirements?
From: Fred Baker <fredbaker.ietf@gmail.com>
X-Mailer: iPhone Mail (15B150)
In-Reply-To: <CAFU7BARoXgodiTJfTGc1dUfQ8-ER_r8UOE1c3h-+G0KTeCgBew@mail.gmail.com>
Date: Fri, 17 Nov 2017 16:38:02 +0800
Cc: Mohamed Boucadair <mohamed.boucadair@orange.com>, 6man WG <ipv6@ietf.org>, Mark Andrews <marka@isc.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <962DDEC3-3F89-4A7E-9C54-D7C96D59BD24@gmail.com>
References: <m1eEGbJ-0000EhC@stereo.hq.phicoh.net> <D43E103C-27B8-48CF-B801-ACCF9B42533E@employees.org> <m1eEHPS-0000FyC@stereo.hq.phicoh.net> <59B0BEC0-D791-4D75-906C-84C5E423291B@employees.org> <m1eEIGX-0000FjC@stereo.hq.phicoh.net> <73231F8D-498E-4C77-8DA8-044365368FC9@isc.org> <CAKD1Yr1aFwF_qZVp5HbRbKzcOGqn==MRe_ewaA8Qc8t3+CVu_Q@mail.gmail.com> <44A862B7-7182-4B3A-B46E-73065FC4D852@isc.org> <D42D8D7A-6D19-4862-9BB3-4913058A83B6@employees.org> <CAFU7BARCLq9eznccEtkdnKPAtKNT7Mf1bW0uZByPvxtiSrv6EQ@mail.gmail.com> <787AE7BB302AE849A7480A190F8B93300A07AD68@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <CAFU7BARoXgodiTJfTGc1dUfQ8-ER_r8UOE1c3h-+G0KTeCgBew@mail.gmail.com>
To: Jen Linkova <furry13@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/vM8dVpiziha5dC2BhXMGrcI_vi0>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2017 08:38:12 -0000

Tore Anderson has a multiple prefix installation.

Sent using a machine that autocorrects in interesting ways...

> On Nov 17, 2017, at 4:30 PM, Jen Linkova <furry13@gmail.com>; wrote:
> 
> On Thu, Nov 16, 2017 at 12:35 AM,  <mohamed.boucadair@orange.com>; wrote:
>>> IMHO the optimal solution is:
>>> - the network SHOULD provide a host with NAT64 prefix information in
>>> RA (I do not believe that information needs to be duplicated in DHCP
>>> at all);
>> 
>> [Med] Please check: https://tools.ietf.org/html/rfc7051#section-5.7.3
> 
> Thanks for pointing this out. To be honest I disagree with what that
> section says.
> I'm trying to refrain from participating  'SLAAC vs DHCPv6' so I will
> not mention all those issues with multihoming for example but....
> If you are saying that the prefix should not be distributed via RAs
> because it needs to be configured on routers, then what about DNS
> servers and SLAAC prefixes themselves?
> There are SLAAC-only networks out there while RFC7934 does not
> recommend DHCPv6 as the only way to configure clients.
> So between those two RA does look like a better way.
> 
>> Things may get complex if multiple NSPs are used for load-balancing or if destination based NAT64s are deployed. A list of issues is elaborated in https://tools.ietf.org/html/rfc7225#section-3.1
> 
> It's more like v6ops question but I'm really curious if multiple
> prefixes scenario is real.
> RA option might contain multiple prefixes anyway.
> 
>>>>> On 15 Nov 2017, at 08:06, Mark Andrews <marka@isc.org>; wrote:
>>>>> 
>>>>> 
>>>>>> On 15 Nov 2017, at 3:40 am, Lorenzo Colitti <lorenzo@google.com>;
>>> wrote:
>>>>>> 
>>>>>> On Tue, Nov 14, 2017 at 6:46 AM, Mark Andrews <marka@isc.org>; wrote:
>>>>>> Is there any reason to run DNS64 at all these days?  ipv4only.arpa can
>>> be a preconfigured
>>>>>> zone which allows CLAT to get its mapping.  All the phones have CLAT
>>> support.
>>>>>> 
>>>>>> That's an interesting idea. It would work in theory, but such a
>>> network would completely break devices that don't support 464xlat. That
>>> gives up one of the major advantages of NAT64/DNS64, which is that it's a
>>> 90% solution even just by itself - yes, IPv4-only applications and address
>>> literals exist, but most simple client/server applications Just Work
>>> behind it.
>>>>> 
>>>>> And that 90% “solution” has lots of down sides.  It basically requires
>>> EVERY DNS VALIDATOR ON
>>>>> THE PLANET TO SUPPORT DNS64 JUST IN CASE IT IS USED BEHIND A DNS64
>>> SERVER.
>>>>> 
>>>>> DNS64/NAT64 was presented as NOT REQUIRING node changes when first
>>> mooted.  It keeps on
>>>>> requiring more and more highly invasive node changes to support.  It
>>> was from the very beginning
>>>>> bad engineering.   To get IPv4 as a service some node changes are
>>> required.  Lets make sure they
>>>>> are MINIMAL ones.
>>>>> 
>>>>> Just for the record DNSSEC validators need to send BOTH CD=0 and CD=1
>>> queries to get answers
>>>>> though a upstream VALIDATING server which includes a VALIDATING DNS64
>>> server as CD=0 and
>>>>> CD=1 address different DNSSEC threats.  I tried very hard to point that
>>> out when RFC 6147 was
>>>>> being written but the working group decide that CD indicated whether
>>> the client was validating or
>>>>> not.  There is NO SUCH INDICATION in a DNS message.
>>>>> 
>>>>> If a query arrives at a vDNS64 device with the "Checking Disabled"
>>>>>  (CD) bit set, it is an indication that the querying agent wants all
>>>>>  the validation data so it can do checking itself.  By local policy,
>>>>>  vDNS64 could still validate, but it must return all data to the
>>>>>  querying agent anyway.
>>>>> 
>>>>> CD=0 queries causes the upstream validating servers to reject incoming
>>> spoofed answers
>>>>> or stale answers (this is a common operational problem).
>>>>> 
>>>>> CD=1 queries allow the validation to succeed when the upstream
>>> validator has a bad trust
>>>>> anchor or a bad clock which is rejecting legitimate answers.
>>>>> 
>>>>> A validating client can’t just send CD=1 queries as the upstream
>>> validator doesn’t kick in.
>>>>> The upstream validator can lock onto a stale answer source.  It needs
>>> to send CD=0 queries
>>>>> on validation failure to force the upstream validator to try multiple
>>> sources.
>>>>> 
>>>>> A validating client can’t just send CD=0.  It needs to send CD=1 on
>>> SERVFAIL in case the
>>>>> upstream validator has a bad trust anchor (likely with the upcoming
>>> root KSK roll) or has
>>>>> a bad clock (these usually get fixed fast).
>>>>> 
>>>>> Now to get a answer from a signed zone with servers with stale answers
>>> a validatiing DNS64 client
>>>>> needs to send:
>>>>> 
>>>>> a) send CD=1 and validation failure send CD=0 then on AAAA validation
>>> failure send CD=1 and
>>>>>   hope the TTL was not 0 and that is not cachable and there is no
>>> assurance that you won’t get
>>>>>   a answer from a stale source.
>>>>> 
>>>>>      or
>>>>> 
>>>>> b) send CD=0 and on validation failure of the AAAA send CD=1 and hope
>>> the TTL was not 0 as
>>>>>   that is not cachable and there is no assurance that you won’t get a
>>> answer from a stale source.
>>>>> 
>>>>> TTL=0 answers exist.
>>>>> 
>>>>> Note none of this is documented in a RFC.  You have to understand how
>>> both DNSSEC and DNS64 work to
>>>>> realise this.
>>>>> 
>>>>> IPV4ONLY.ARPA is currently has a secure delegation which breaks prefix
>>> discover for DNS VALIDATORS.
>>>>> Note “ad” is set in the flags.  Yes, I’ve submitted a errata.  Yes,
>>> I’ve opened a ticket to get it fixed but
>>>>> based on past experience that could take months if it happens at all.
>>> You will note that the recursive
>>>>> server is running on the loopback interface so all DNS answers are
>>> being validated here.
>>>>> 
>>>>> [rock:bind9/bin/named] marka% dig IPV4ONLY.ARPA
>>>>> ;; BADCOOKIE, retrying.
>>>>> 
>>>>> ; <<>> DiG 9.12.0b2+hotspot+add-prefetch+marka <<>> IPV4ONLY.ARPA
>>>>> ;; global options: +cmd
>>>>> ;; Got answer:
>>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8504
>>>>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>>>>> 
>>>>> ;; OPT PSEUDOSECTION:
>>>>> ; EDNS: version: 0, flags:; udp: 4096
>>>>> ; COOKIE: 7dbf8beb79be47a09eb5313d5a0b776f4fae3aa6931d9583 (good)
>>>>> ;; QUESTION SECTION:
>>>>> ;IPV4ONLY.ARPA.                       IN      A
>>>>> 
>>>>> ;; ANSWER SECTION:
>>>>> ipv4only.arpa.                26574   IN      A       192.0.0.171
>>>>> ipv4only.arpa.                26574   IN      A       192.0.0.170
>>>>> 
>>>>> ;; Query time: 0 msec
>>>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>>>> ;; WHEN: Wed Nov 15 10:08:31 AEDT 2017
>>>>> ;; MSG SIZE  rcvd: 115
>>>>> 
>>>>> [rock:bind9/bin/named] marka%
>>>>> 
>>>>>> It's not true that all phones have clat support. Notably, Apple not
>>> only does not support it but appears ideologically opposed to it on the
>>> grounds that it does not have a good exit strategy (because it makes it
>>> possible to run IPv4-only apps forever).
>>>>> 
>>>>> 
>>>>> --
>>>>> Mark Andrews, ISC
>>>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>>>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>>>>> 
>>>>> --------------------------------------------------------------------
>>>>> IETF IPv6 working group mailing list
>>>>> ipv6@ietf.org
>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>> --------------------------------------------------------------------
>>>> 
>>>> 
>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> ipv6@ietf.org
>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>> --------------------------------------------------------------------
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> SY, Jen Linkova aka Furry
>>> 
>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6@ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
> 
> 
> 
> -- 
> SY, Jen Linkova aka Furry
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------