Re: (ngtrans) Comments on draft-durand-natpt-dns-alg-issues-00.txt
Alain Durand <Alain.Durand@sun.com> Sun, 14 July 2002 08:24 UTC
Received: from nwkea-mail-1.sun.com (nwkea-mail-1.sun.com [192.18.42.13]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA28625 for <ngtrans-archive@lists.ietf.org>; Sun, 14 Jul 2002 04:24:13 -0400 (EDT)
Received: from engmail2.Eng.Sun.COM ([129.146.1.25]) by nwkea-mail-1.sun.com (8.9.3+Sun/8.9.3) with ESMTP id BAA23329; Sun, 14 Jul 2002 01:22:13 -0700 (PDT)
Received: from sunroof.eng.sun.com (sunroof.Eng.Sun.COM [129.146.168.88]) by engmail2.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v2.1p1) with ESMTP id BAA12256; Sun, 14 Jul 2002 01:21:47 -0700 (PDT)
Received: from sunroof.eng.sun.com (localhost [127.0.0.1]) by sunroof.eng.sun.com (8.12.4/8.12.4) with ESMTP id g6E8KnoN016037 for <ngtrans-dist@sunroof.eng.sun.com>; Sun, 14 Jul 2002 01:20:49 -0700 (PDT)
Received: (from majordomo@localhost) by sunroof.eng.sun.com (8.12.4/8.12.4/Submit) id g6E8KnVI016036 for ngtrans-dist; Sun, 14 Jul 2002 01:20:49 -0700 (PDT)
X-Authentication-Warning: sunroof.eng.sun.com: majordomo set sender to owner-ngtrans@sunroof.eng.sun.com using -f
Received: from engmail4.Eng.Sun.COM (engmail4 [129.144.134.6]) by sunroof.eng.sun.com (8.12.4/8.12.4) with ESMTP id g6E8KkoN016029 for <ngtrans@sunroof.eng.sun.com>; Sun, 14 Jul 2002 01:20:46 -0700 (PDT)
Received: from pheriche.sun.com (pheriche.Central.Sun.COM [129.147.5.34]) by engmail4.Eng.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL, v2.1p1) with ESMTP id BAA08244 for <ngtrans@sunroof.eng.sun.com>; Sun, 14 Jul 2002 01:20:47 -0700 (PDT)
Received: from esunmail ([129.147.58.121]) by pheriche.sun.com (8.9.3+Sun/8.9.3) with ESMTP id CAA28332 for <ngtrans@sunroof.eng.sun.com>; Sun, 14 Jul 2002 02:20:46 -0600 (MDT)
Received: from xpa-fe2 (esunmail-ge1 [129.147.58.122]) by edgemail1.Central.Sun.COM (iPlanet Messaging Server 5.2 HotFix 0.3 (built May 13 2002)) with ESMTP id <0GZ800ACXCIL96@edgemail1.Central.Sun.COM> for ngtrans@sunroof.eng.sun.com; Sun, 14 Jul 2002 02:20:46 -0600 (MDT)
Received: from limande.dyn.ietf54.wide.ad.jp ([133.93.76.228]) by mail.sun.net (iPlanet Messaging Server 5.2 HotFix 0.2 (built Apr 26 2002)) with ESMTPSA id <0GZ80036WCIIO8@mail.sun.net> for ngtrans@sunroof.eng.sun.com; Sun, 14 Jul 2002 02:20:44 -0600 (MDT)
Date: Sun, 14 Jul 2002 01:20:44 -0700
From: Alain Durand <Alain.Durand@sun.com>
Subject: Re: (ngtrans) Comments on draft-durand-natpt-dns-alg-issues-00.txt
In-reply-to: <F66469FCE9C5D311B8FF0000F8FE9E070A924F66@mbtlipnt03.btlabs.bt.co.uk>
To: matthew.ford@bt.com
Cc: ngtrans@sunroof.eng.sun.com
Message-id: <97C33020-9702-11D6-8B10-000393764158@sun.com>
MIME-version: 1.0
X-Mailer: Apple Mail (2.482)
Content-type: text/plain; charset="US-ASCII"; format="flowed"
Content-transfer-encoding: 7bit
Sender: owner-ngtrans@sunroof.eng.sun.com
Precedence: bulk
Reply-To: Alain Durand <Alain.Durand@sun.com>
Content-Transfer-Encoding: 7bit
On Saturday, July 13, 2002, at 08:27 PM, matthew.ford@bt.com wrote: First of all, thanks for your comments. > Alain, > > Some comments on your draft: > > 1.1 AAAA answers for A queries > > ... > > RFC2766 is not clear on how a DNS-ALG should treat answers to A > queries made by internal nodes. As a matter of fact, one could > fear that a careless a DNS-ALG would also intercept them and > translate > them into a AAAA form. > > => Agreed that RFC2766 probably needs to be more explicit about this. > However, DNS-ALGs exist that are very careful about when to relay, and > when > to translate. They work well in practice. The fact that some implementations appear to work fine does not change the fact that the RFC is not clear and need to be fixed. > ... > > Applications behind a NAT-PT DNS ALG may think they use IPv6 when > they are actually using IPv6 + NAT-PT + IPv4. > > => Application transparency is a bad thing? Do you think there is a > need for > signalling to indicate that translation is occurring? An application that knows it does not work fine over a NAT box may want to know. > > 1.2. Source Address Selection/Destination address ordering > > ... > > The communication between a node within the NAT-PT domain and a > external dual stack host will select the translated path over the > native IPv6 path. > > => This is only true of the sort of 'sloppy' implementations referred to > above. If implementors are careful about when they relay and when they > translate, this problem does not arise. This relay vs translate behavior is not documented in the RFC. > > 1.3. NAT-PT & IPv6 default router > > ... > > For NAT-PT to work correctly with DNS-ALG, it requires that the > NAT-PT box be the only default IPv6 router of the NAT-PT domain. > > => We've been running IPv6 networks where our NAT-PT box is not the > default > IPv6 router for several years. The only requirement here is that the > local > IPv6 DNS forwards to an IPv4 located DNS via NAT-PT. What you are suggesting is to forbid recursive resolvers within the NAT-PT domain. a) you'll have to find an open DNS relay and b) this will not scale very well. > 1.4. DNS-sec > > ... > > DNS-sec is not deployable within a NAT-PT doamin with DNS-ALG > > => Yes, NAT breaks end-to-end security. You are confusing IPsec and DNSsec. Yes, NAT breaks IPsec, but does not break DNSsec. In that regard, NAT-PT is worse than NAT. > 2.1. Incoming address pool exhaustion. > > ... > > Even with short time out, it is very easy for an attacker to > create a DoS attack just by repetitively querying the DNS for all > known internal domain names > > => Outgoing connections from the NAT-PT domain can easily be protected > in > the presence of such attacks by reserving at least one pool address for > NAPT-PT. Important services hosted within the NAT-PT domain can also be > protected by allocating static IPv4 address mappings. Finally, in order > for > an attacker to exhaust the available pool of IPv4 addresses, the > attacker > would have to know or discover a number of domain names for distinct > internal addresses equal to the size of the incoming address pool. > Sure you can always limit incoming NAT-PT to a few selected hosts and have a static mapping. But this does not change the fact that if you want incoming NAT-PT to work for any hosts, it will be open to DOS. - Alain.
- Re: (ngtrans) Comments on draft-durand-natpt-dns-… Alain Durand