IETF Logo Mail Archive

Re: [v6ops] draft-palet-v6ops-nat64-deployment-02 comments

Fred Baker <fredbaker.ietf@gmail.com> Mon, 02 July 2018 19:55 UTC

Return-Path: <fredbaker.ietf@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 391B51312EE for <v6ops@ietfa.amsl.com>; Mon, 2 Jul 2018 12:55:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Quh_w0A0S6n for <v6ops@ietfa.amsl.com>; Mon, 2 Jul 2018 12:55:39 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A95913131E for <v6ops@ietf.org>; Mon, 2 Jul 2018 12:55:39 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id v8-v6so18654169oie.5 for <v6ops@ietf.org>; Mon, 02 Jul 2018 12:55:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Dko05BczU/DXZDz/rxVLVaSUx0RKElPH9m5nRdOhW/Q=; b=BRh6qHnXd4Y9qh5Qb+NXl2VprI3nJ/GQzCTrK6gTx51zDEZPerEsUVbg25PK8WAVgw LEmeUxjyOPq1ntn4BvRnIFDNWVJgnZXvaNGAvXZwMWl8qziXvNs5DdEwF7sRuLrVtLNP /8L9vAlRWLARU66MyDNiqi1Efu7GYh5QuAFJrF9ohDiotiXuJpUC2ZqL8nx84j03BYRQ kQJOD117F9aUHxYi2y4UrTE2Rzu/WuZuFWAYvW03XQrxDLYnJ/L2MdYYRygq4arCn+iG wl6/IScC7PL2WM5BwIJg/qkc7ZJVXUmeFSMXx4uTOfwhD+watL7AiP6piDquVO9PJpSV vEXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Dko05BczU/DXZDz/rxVLVaSUx0RKElPH9m5nRdOhW/Q=; b=mMGRjsV79PzNo0J8Jma+nG95Gr+9Q6elF8rCpJPvoUbGPkyyVifTC+090ioz/wl9TL qNk1VHQbhVC+i2nIeScBJgx+RHsx5EOcbgpry9bt/RNQ/TIoeuobgDUQxo6i9ZQ42mll Ax2ld1sQj5C0D5BP9bjwqSuavLbg1IAzgGk3iqfFFdxGj5GmIfof2lMEm99NLRCU5TES F/41QtBWhl496qhZ+g/6UJvz3lnUCZt+khMTmL6EKNNIIS4k9RxknF7UgWqpM/mBP+hU k9YtWnyXC7ckozMZWg+bej5IpHz6cBIu8Qo3kVOQdxW3fJGdq1WL7HRiesMc2/UD0GlW Ey9A==
X-Gm-Message-State: APt69E339QtlA3byTOOlsGe1NHsBtCoYGfcKFHxa9VGFhMn1JweaYGRL UkUeQD3Dql/2qsvLS56rOVJFd55Z
X-Google-Smtp-Source: AAOMgpc+2qv9LtfM8AfSy2A81AnqE0DNIAt/OANYqZZ7vbKZogTEMA4GYOWfHn+SJNwUoFQkryyigg==
X-Received: by 2002:aca:d4d7:: with SMTP id l206-v6mr5022741oig.52.1530561338318; Mon, 02 Jul 2018 12:55:38 -0700 (PDT)
Received: from ?IPv6:2600:8802:5600:1546::101b? ([2600:8802:5600:1546::101b]) by smtp.gmail.com with ESMTPSA id o99-v6sm861879ota.72.2018.07.02.12.55.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Jul 2018 12:55:37 -0700 (PDT)
From: Fred Baker <fredbaker.ietf@gmail.com>
Message-Id: <0DEE4384-5CEE-4F9D-8152-4C10B5AEA365@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_E887E91F-91B9-4800-90E9-F20F194F0123"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Mon, 02 Jul 2018 12:55:35 -0700
In-Reply-To: <1F8254E0-D425-486A-B744-EDA836266D99@consulintel.es>
Cc: "v6ops@ietf.org list" <v6ops@ietf.org>
To: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
References: <663F489C-7F63-4B0C-A5E6-F7EE4634E62B@gmail.com> <60335039-287e-4fb3-870b-2c4fe9b5445d@otenet.gr> <2D196DD1-FF0F-4365-8F50-5AD98DCBA989@gmail.com> <787AE7BB302AE849A7480A190F8B93302DF4F296@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <1F8254E0-D425-486A-B744-EDA836266D99@consulintel.es>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/3Dudv2dVHfXwHg8k3WP51FQIQzQ>
Subject: Re: [v6ops] draft-palet-v6ops-nat64-deployment-02 comments
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2018 19:55:47 -0000

No hats, and a comment to get picked up next week, not before 23:59 UTC today.

I'm thinking further about the statement that "DNS64 breaks DNSSEC". I think that is just incorrect.

Here's the scenario. I'm thinking from the perspective of the user of DNS64 in

                         +----+                +----+
                         |DNS |     +-----+    |DNS |
                         |IPv6|     |DNS64|    |IPv4|
                         +--+-+     +-----+    +--+-+
 +------+ v6 +------+       |      /       \      |
 |      +----+      |    ,--+--.  /         \  ,--+--.
 |Dual  |    | IPv6 |   /       \/   ,---.   \/       \
 |Stack |  +-+Router+--(  IPv6   )--( PLAT)--(  IPv4   )
 |Device|v4|C|      |   \Network/`.  `---'    \Network/
 |      +--+L|      |    `--+--'   `.         /`-----'
 +------+  |A|      |       |        `+------+
           |T|      |    +--+---+     | Peer |
           +-+------+    | IPv6 |     |Device|
                         |Device|     +------+
                         +------+

which might be the IPv6 side of the "Dual Stack Device" or might be the "IPv6 Device". There are two sets of possibilities:

From an IPv6 perspective (either device), assuming the response contains correct data, a request for a AAAA record will yield one of four things:

1) NXDOMAIN
2) a signed AAAA record
3) an unsigned but valid native AAA record
4) an unsigned DNS64-generated IPv4-embedded IPv6 Address, the synthesis of an IPv6 prefix and an IPv4 address.

Barring a few exclusions, #4 will never happen if a native AAAA record is known by the DNS64 device (https://tools.ietf.org/html/rfc6147#section-5.1.1).

From an IPv4 perspective, the "Dual Stack Device" will also request an A record, and might get:

1) NXDOMAIN
2) a signed A record
3) an unsigned but valid native A record

In either case, NXDOMAIN (option #1) kind of closes the options. I should expect the device(s) will prefer a signed record to an unsigned one, which might mean that the "Dual Stack Device" prefers a signed A record to an unsigned DNS64 AAAA record. If it gets two signed records, it's cook's choice, and the "Dual Stack Device" is likely to prefer the signed AAAA record to the signed A record "just because". If it gets no signed records, I don't know offhand how it would tell a native address from a DNS64 address without parsing the address in the AAAA record. So it might use a generated address to get to the PLAT or let the CLAT create an address to get to the PLAT. But in either case, if DNS64 is in use, it gets to the PLAT, so it probably doesn't matter.

                +--------+--------+----------+
  IPv6:    IPv4:|NXDOMAIN|Signed A|Unsigned A|
 +--------------+========+========+==========+
 |NXDOMAIN      |  fail  |use A   | use A    |
 +--------------+--------+--------+----------+
 |Signed AAAA   |use AAAA|choice  | use AAAA |
 +--------------+--------+--------+----------+
 |Unsigned AAAA |use AAAA|use A   | choice   |
 +--------------+--------+--------+----------+
 |DNS64 AAAA    |use AAAA|use A   | choice   |
 +--------------+--------+--------+----------+

But I don't see any case in which an unsigned record replaces a signed record, or a signed record cannot be verified, which is what would break DNSSEC.

Hence, I don't think DNS64 "breaks" DNSSEC. It enables connectivity in cases where NXDOMAIN would disable connectivity, and the user goes through a NAT, with all the evils that implies.

v2.23.0 | Report a Bug | By Email