Re: [v4v6interim] Single namespace

Fred Baker <fred@cisco.com> Wed, 01 October 2008 18:16 UTC

Return-Path: <v4v6interim-bounces@ietf.org>
X-Original-To: v4v6interim-archive@ietf.org
Delivered-To: ietfarch-v4v6interim-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6B75528C0FC; Wed, 1 Oct 2008 11:16:26 -0700 (PDT)
X-Original-To: v4v6interim@core3.amsl.com
Delivered-To: v4v6interim@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B85693A676A for <v4v6interim@core3.amsl.com>; Wed, 1 Oct 2008 11:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.49
X-Spam-Level:
X-Spam-Status: No, score=-106.49 tagged_above=-999 required=5 tests=[AWL=0.109, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Ah8ynuihBWI for <v4v6interim@core3.amsl.com>; Wed, 1 Oct 2008 11:16:23 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id B51BC3A6856 for <v4v6interim@ietf.org>; Wed, 1 Oct 2008 11:16:23 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.33,344,1220227200"; d="scan'208";a="105843852"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-3.cisco.com with ESMTP; 01 Oct 2008 18:16:14 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m91IGDZ5013284; Wed, 1 Oct 2008 11:16:13 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id m91IGD8X013355; Wed, 1 Oct 2008 18:16:13 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 1 Oct 2008 11:16:13 -0700
Received: from [192.168.3.103] ([10.21.89.125]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 1 Oct 2008 11:16:12 -0700
Message-Id: <4AEC856D-6418-44A7-84E7-79A64913A1A2@cisco.com>
From: Fred Baker <fred@cisco.com>
To: bmanning@vacation.karoshi.com
In-Reply-To: <20081001180949.GA4282@vacation.karoshi.com.>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Wed, 01 Oct 2008 14:16:11 -0400
References: <BD0BD783-9F12-4415-85B3-9593584BB12D@cisco.com> <20081001180949.GA4282@vacation.karoshi.com.>
X-Mailer: Apple Mail (2.929.2)
X-OriginalArrivalTime: 01 Oct 2008 18:16:12.0498 (UTC) FILETIME=[C91CFB20:01C923F1]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2329; t=1222884973; x=1223748973; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fred@cisco.com; z=From:=20Fred=20Baker=20<fred@cisco.com> |Subject:=20Re=3A=20Single=20namespace |Sender:=20; bh=LvFb/yrwLxNxEYIEQ99wwOz/xkItkuZHhBgBjePOcac=; b=qmXpa5o9DgByBVs4+3xsBToGdv9ejoZ16XIs0tASCBMbHJCePG4IF+MixH 3IBBpsWBSfyAwAnci1cBjRUgfA6gIvV+g2cVfdnhM7kTWGUV5YI57vph2ano cunapIEWMpIfzakcGAboMJ67FpHHP8L+M0ASfewBkcasvoFElAnaM=;
Authentication-Results: sj-dkim-1; header.From=fred@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: v4v6interim@ietf.org
Subject: Re: [v4v6interim] Single namespace
X-BeenThere: v4v6interim@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of coexistence topics for the 01-Oct-2008 v4-v6 coexistence interim meeting <v4v6interim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/v4v6interim>, <mailto:v4v6interim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/v4v6interim>
List-Post: <mailto:v4v6interim@ietf.org>
List-Help: <mailto:v4v6interim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v4v6interim>, <mailto:v4v6interim-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: v4v6interim-bounces@ietf.org
Errors-To: v4v6interim-bounces@ietf.org

On Oct 1, 2008, at 2:09 PM, bmanning@vacation.karoshi.com wrote:
> that said, DNS64 is asserted to provide a different answer depending  
> on
> where the question originates.  Some folks do this today w/ a bind  
> construct
> called "views".  if  DNS64 "constructs" synthetic addresses on the fly
> (algorithmically generated addressess) as proposed,  is this based  
> on the
> DNS64 application intercepting a DNS reply - (here is the A rr) and  
> fabricating
> a lie (here is the AAAA rr) to pass to the querier? where the AAAA  
> is the address
> of the translation device?

It doesn't intercept anything.

It gets a AAAA request from some host, sends a request for an A record  
(perhaps o itself), gets the A record response, generates a AAAA  
record from it, and sends that as a reply to the original request.

> If this is a plausable explaination, then I would posit that the  
> creation of
> DNS64 is injecting a MITM vector that is unreasonable.

Any form of translation is a MITM vector. If you find translation  
unreasonable, then yes you will find that vector unreasonable. If you  
find translation necessary, I don't think you can avoid the  
possibility that the translator is a MITM vector.

> depending on the deployment model, i think that properly placed DNS  
> caches, running
> dual stack, would work just fine.

several problems there. First, what if a name exists and is  
translatable but doesn't happen to be in the cache at the moment? Do  
you populate the cache? Second, what if the cache is poisoned?

Your complaining about MITM attacks?

> back to the oatwillie.example.com case...
> presume the node has a single NIC  ::   2001:478:6::cafe
> and and IVI box with               ::   2001:478:6::254
> 	                           ::   198.32.6.251
>
> with a dual-stack DNS server       ::   2001:478:6::11
>                                   ::   198.32.6.11
>
> inside the DNS server, I might make the following mapping for  
> oatwillie:
>
> oatwillie	in aaaa 2001:478:6::cafe
> 		in a    198.32.6.251
>
>
> would that work for you?

Maybe. If the server directly knows the translation already, it's  
great. I don't think it is a very general solution, though, as there  
is no way to populate the cache in the first place.

_______________________________________________
v4v6interim mailing list
v4v6interim@ietf.org
https://www.ietf.org/mailman/listinfo/v4v6interim