Re: [v6ops] Supporting IPv6-only Networks with NAT64 and DNS64 section of draft-ietf-v6ops-rfc6555bis-01
Mark Andrews <marka@isc.org> Thu, 29 June 2017 04:14 UTC
Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D026D127871 for <v6ops@ietfa.amsl.com>; Wed, 28 Jun 2017 21:14:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PYVSSHg0d2O0 for <v6ops@ietfa.amsl.com>; Wed, 28 Jun 2017 21:14:40 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DD8A127775 for <v6ops@ietf.org>; Wed, 28 Jun 2017 21:14:40 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id BFE57349315; Thu, 29 Jun 2017 04:14:37 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 7EA50160047; Thu, 29 Jun 2017 04:14:37 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 664DE160070; Thu, 29 Jun 2017 04:14:37 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 7pxI1kwBY2AR; Thu, 29 Jun 2017 04:14:37 +0000 (UTC)
Received: from [172.30.42.89] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 4F9A8160047; Thu, 29 Jun 2017 04:14:36 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <280023835.899017.1498705302254@mail.yahoo.com>
Date: Thu, 29 Jun 2017 14:14:33 +1000
Cc: IPv6 Ops WG <v6ops@ietf.org>, "dschinazi@apple.com" <dschinazi@apple.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <47F7A2D8-9516-4E25-A673-40D6293B7CE7@isc.org>
References: <149670589074.3841.10812713591494006570@ietfa.amsl.com> <C22244D7-ABF6-430B-8155-8D4C1C1382DF@apple.com> <FA0D06E7-47F9-4029-81D4-2D96BFDD5576@consulintel.es> <65F3C8F4-6533-4C15-83F9-64AFC0EFFA79@apple.com> <4AC6726C-142E-48E5-95CF-2C3AD3331441@consulintel.es> <738488839.469942.1498664001646@mail.yahoo.com> <20170628220025.4FA447CB2073@rock.dv.isc.org> <280023835.899017.1498705302254@mail.yahoo.com>
To: "stephan.lagerholm@yahoo.com" <stephan.lagerholm@yahoo.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/1ihkcEFXsygluFi_XOjCFQvoQuE>
Subject: Re: [v6ops] Supporting IPv6-only Networks with NAT64 and DNS64 section of draft-ietf-v6ops-rfc6555bis-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2017 04:14:42 -0000
> On 29 Jun 2017, at 1:01 pm, stephan.lagerholm@yahoo.com wrote: > > Hi Mark, > > >From: Mark Andrews <marka@isc.org> > >> In message <738488839.469942.1498664001646@mail.yahoo.com>, "stephan.lagerholm@yahoo.com" writes: > >> Hi David, > >> Thanks for adding the Supporting IPv6-only Networks with NAT64 and DNS64 > >> section, I find it useful. However I don't think the below sentence from > >> this section is accurate. I can't think of any changes that are needed on > >> a client device to run NAT64/DNS64. > > > >Well you obviously don't have any devices doing DNSSEC validation. > >DNS64 breaks DNSSEC as it changes the DNS responses from NOERROR > >NODATA to NOERROR DATA by synthesizing a AAAA RRset. This from the > >client's perspective is not different than forging a fake AAAA RRset > >that is trying to hijack the traffic stream. > > This case and the remedy is already covered in RFC 6147 section 3. I don't think it makes sense to bring it up in this draft. RFC 6147 states that end devices need to be upgraded. Yes this is in contradiction to itself where it states that they don’t need to be upgraded. Section 5.5. The disadvantage to this approach is that an end point that is translation-oblivious but security-aware and validating will not be able to use the DNS64 functionality. In this case, the end point will not have the desired benefit of NAT64. In effect, this strategy means that any end point that wishes to do validation in a NAT64 context must be upgraded to be translation-aware as well. Then you have 5.5.3, turn a DNSSEC MUST NOT into a MAY and in doing so completely defeating the purpose of the “MUST NOT” on CD=1 which is to get answers which are incorrectly being rejected by the upstream validating resolver. "then vDNS64 MAY perform validation,” Then you have changes to the purpose of CD which don’t work with TTL=0 answers. The whole IETF seems to think that DNS64/NAT64 works well. It doesn’t when you need to use the protections that DNSSEC provides. It works ok if everything else is correctly configured and there are no active attacks on the recursive DNS servers happening. > > /S > > Virus-free. www.avg.com -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [v6ops] I-D Action: draft-ietf-v6ops-rfc6555bis-0… internet-drafts
- [v6ops] Updated draft-ietf-v6ops-rfc6555bis to ve… David Schinazi
- Re: [v6ops] Updated draft-ietf-v6ops-rfc6555bis t… JORDI PALET MARTINEZ
- Re: [v6ops] Updated draft-ietf-v6ops-rfc6555bis t… David Schinazi
- Re: [v6ops] Updated draft-ietf-v6ops-rfc6555bis t… JORDI PALET MARTINEZ
- [v6ops] Supporting IPv6-only Networks with NAT64 … stephan.lagerholm@yahoo.com
- Re: [v6ops] Supporting IPv6-only Networks with NA… David Schinazi
- Re: [v6ops] Supporting IPv6-only Networks with NA… stephan.lagerholm@yahoo.com
- Re: [v6ops] Updated draft-ietf-v6ops-rfc6555bis t… David Schinazi
- Re: [v6ops] Supporting IPv6-only Networks with NA… David Schinazi
- Re: [v6ops] Supporting IPv6-only Networks with NA… Mark Andrews
- Re: [v6ops] Supporting IPv6-only Networks with NA… stephan.lagerholm@yahoo.com
- Re: [v6ops] Supporting IPv6-only Networks with NA… David Schinazi
- Re: [v6ops] Supporting IPv6-only Networks with NA… Mikael Abrahamsson
- Re: [v6ops] Supporting IPv6-only Networks with NA… stephan.lagerholm@yahoo.com
- Re: [v6ops] Supporting IPv6-only Networks with NA… stephan.lagerholm@yahoo.com
- Re: [v6ops] Supporting IPv6-only Networks with NA… Mark Andrews
- Re: [v6ops] Supporting IPv6-only Networks with NA… stephan.lagerholm@yahoo.com
- Re: [v6ops] Supporting IPv6-only Networks with NA… Erik Kline
- Re: [v6ops] Supporting IPv6-only Networks with NA… Mark Andrews
- Re: [v6ops] Supporting IPv6-only Networks with NA… Fred Baker
- Re: [v6ops] Supporting IPv6-only Networks with NA… mohamed.boucadair
- Re: [v6ops] Supporting IPv6-only Networks with NA… Mark Andrews
- Re: [v6ops] Supporting IPv6-only Networks with NA… Rajiv Asati (rajiva)
- Re: [v6ops] Supporting IPv6-only Networks with NA… mohamed.boucadair
- Re: [v6ops] Supporting IPv6-only Networks with NA… Fred Baker
- Re: [v6ops] Supporting IPv6-only Networks with NA… Fred Baker
- Re: [v6ops] Supporting IPv6-only Networks with NA… Mark Andrews
- Re: [v6ops] Updated draft-ietf-v6ops-rfc6555bis t… JORDI PALET MARTINEZ