RE: (ngtrans) NAT-PT DNS ALG issues
George Tsirtsis <G.Tsirtsis@flarion.com> Fri, 22 February 2002 16:01 UTC
Received: from patan.sun.com (patan.Sun.COM [192.18.98.43]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA07453 for <ngtrans-archive@odin.ietf.org>; Fri, 22 Feb 2002 11:01:16 -0500 (EST)
Received: from engmail4.Eng.Sun.COM ([129.144.134.6]) by patan.sun.com (8.9.3+Sun/8.9.3) with ESMTP id IAA12903; Fri, 22 Feb 2002 08:58:49 -0700 (MST)
Received: from sunroof.eng.sun.com (sunroof.Eng.Sun.COM [129.146.168.88]) by engmail4.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id HAA13178; Fri, 22 Feb 2002 07:58:19 -0800 (PST)
Received: from sunroof.eng.sun.com (localhost [127.0.0.1]) by sunroof.eng.sun.com (8.12.2+Sun/8.12.2) with ESMTP id g1MFvtKL000302 for <ngtrans-dist@sunroof.eng.sun.com>; Fri, 22 Feb 2002 07:57:56 -0800 (PST)
Received: (from majordomo@localhost) by sunroof.eng.sun.com (8.12.2+Sun/8.12.2/Submit) id g1MFvtho000301 for ngtrans-dist; Fri, 22 Feb 2002 07:57:55 -0800 (PST)
X-Authentication-Warning: sunroof.eng.sun.com: majordomo set sender to owner-ngtrans@sunroof.eng.sun.com using -f
Received: from engmail2.Eng.Sun.COM (engmail2 [129.146.1.25]) by sunroof.eng.sun.com (8.12.2+Sun/8.12.2) with ESMTP id g1MFvrKL000293 for <ngtrans@sunroof.eng.sun.com>; Fri, 22 Feb 2002 07:57:53 -0800 (PST)
Received: from pheriche.sun.com (pheriche.Central.Sun.COM [129.147.5.34]) by engmail2.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL, v2.1p1) with ESMTP id HAA13806 for <ngtrans@sunroof.eng.sun.com>; Fri, 22 Feb 2002 07:57:55 -0800 (PST)
Received: from RRMAIL01.RADIOROUTER_NT ([63.103.94.23]) by pheriche.sun.com (8.9.3+Sun/8.9.3) with ESMTP id IAA25574 for <ngtrans@sunroof.eng.sun.com>; Fri, 22 Feb 2002 08:57:54 -0700 (MST)
Received: by planetajeans.com with Internet Mail Service (5.5.2653.19) id <1LTW8RRY>; Fri, 22 Feb 2002 10:57:51 -0500
Message-ID: <8C92E23A3E87FB479988285F9E22BE465ABB32@ftmail>
From: George Tsirtsis <G.Tsirtsis@flarion.com>
To: 'Alain Durand' <Alain.Durand@sun.com>, ngtrans@sunroof.eng.sun.com
Subject: RE: (ngtrans) NAT-PT DNS ALG issues
Date: Fri, 22 Feb 2002 10:57:47 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ngtrans@sunroof.eng.sun.com
Precedence: bulk
Reply-To: George Tsirtsis <G.Tsirtsis@flarion.com>
Hi Alain, First of all a disclaimer. I am not surprised that several problems have surfaced with DNS-ALGs; what I am surprised about is the fact that it was ever allowed to be part of a standards track RFC :-0 Even at the time I was arguing that this (and anything NAT related) should be at best Informational. I am not a huge fun of NAT-PT, I have never promoted it as a serious solution to anything, certainly not as solution for large deployments (e.g.: 3G) and I am actually surprised it ever became so popular....eehhm, please do not ask me why I wrote the draft :-) Anyway, do you have a suggestion about how to proceed? your draft only points to "issues"...no suggestions. As a co-author I have no problems if the WG wants to review and change the spec. My only problem is time...of which I have very little to spend on this. I can contribute maybe but I will need help if any changes are required. Regards George Here are some comments on <draft-durand-natpt-dns-alg-issues-00.txt>: ... -------------------------------------------------------------------- => Applications behind a NAT-PT DNS ALG may think they use IPv6 when they are actually using IPv6 + NAT-PT + IPv4. -------------------------------------------------------------------- GT> Well, that was the idea....i.e.: a stub network with IPv6 ONLY devices to be able to talk to IPv4 devices external to this stub network. ... -------------------------------------------------------------------- => The communication between a node within the NAT-PT domain and a external dual stack host will select the translated path over the native IPv6 path. -------------------------------------------------------------------- GT> Indeed this is true. At the time we did suggest that such translated addresses to be identifiable and thus be assigned with low priority in terms of address selection but I think this was rejected; people did not want to define yet another type of address. -------------------------------------------------------------------- => For NAT-PT to work correctly with DNS-ALG, it requires that the NAT-PT box be the only default IPv6 router of the NAT-PT domain. This works fine for small networks but raises some scalibity issues when applied to large networks or for networks with multiple exit routes. -------------------------------------------------------------------- GT> Yes indeed...I am actually amazed that 3G is talking about using NAT-PT...good luck to them. -------------------------------------------------------------------- => DNS-sec is not deployable within a NAT-PT doamin with DNS-ALG. If NAT-PT is widely deployed, it would become be a serious obstacle to the large scale deployment of DNS-SEC. -------------------------------------------------------------------- GT> Yes, as stated in the RFC... -------------------------------------------------------------------- => Even with short time out, it is very easy for an attacker to create a DoS attack just by repetitively querying the DNS for all known internal domain names. As the minimum DNS timeouts are usually in seconds, such DOS would be much more devastating as simple flooding as it only requires very limited bandwith to be effective. -------------------------------------------------------------------- GT> Yes, we state this in the spec very clearly I think. -----Original Message----- From: Alain Durand [mailto:Alain.Durand@sun.com] Sent: Thursday, February 21, 2002 11:43 PM To: ngtrans@sunroof.eng.sun.com Subject: (ngtrans) NAT-PT DNS ALG issues I've just published a draft outlining some issues related to the DNS ALG part of NAT-PT. - Alain. A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Issues with NAT-PT DNS ALG in RFC2766 Author(s) : A. Durand Filename : draft-durand-natpt-dns-alg-issues-00.txt Pages : Date : 20-Feb-02 Recent discussions on DNS over IPv6 transport have brought a better understanding on the impact of tools like NAT-PT (RFC2766). Several problems have been identified around the DNS ALG functionality. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-durand-natpt-dns-alg-issues-00.txt --
- RE: (ngtrans) NAT-PT DNS ALG issues George Tsirtsis
- (ngtrans) NAT-PT DNS ALG issues Alain Durand