IETF Logo Mail Archive

Re: [v6ops] 464xlat case study (was reclassify 464XLAT as standard instead of info)

Mark Andrews <marka@isc.org> Thu, 28 September 2017 08:33 UTC

Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B448135601 for <v6ops@ietfa.amsl.com>; Thu, 28 Sep 2017 01:33:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LGGDJ5AAvH6v for <v6ops@ietfa.amsl.com>; Thu, 28 Sep 2017 01:33:02 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 400271355F5 for <v6ops@ietf.org>; Thu, 28 Sep 2017 01:32:55 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 021C924AF7B; Thu, 28 Sep 2017 08:31:27 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 8F261160048; Thu, 28 Sep 2017 08:31:34 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 60C79160082; Thu, 28 Sep 2017 08:31:34 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id s0yePElgIbY0; Thu, 28 Sep 2017 08:31:34 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id D721C160048; Thu, 28 Sep 2017 08:31:33 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id B6CD1886F0C8; Thu, 28 Sep 2017 18:31:31 +1000 (AEST)
To: jordi.palet@consulintel.es
Cc: v6ops@ietf.org
From: Mark Andrews <marka@isc.org>
References: <LO1P123MB01168388285206BB7C26F029EA7A0@LO1P123MB0116.GBRP123.PROD.OUTLOOK.COM> <46045DAA-9096-43BA-A5FD-571232767726@google.com> <CAKD1Yr3vziaHfkR+hQ7QHXaz7QraKH2HLUVXUW63GpnOAj4JoQ@mail.gmail.com> <E72C3FBE-57A4-4058-B9E5-F7392C9E9101@google.com> <LO1P123MB0116805F9A18932E2D0694FEEA780@LO1P123MB0116.GBRP123.PROD.OUTLOOK.COM> <1496304E-54BE-47FA-A7F1-1AA6E163DAB1@employees.org> <CAD6AjGQdMFgv4727wHm41HmEyo2Z-PCabPHPSRSVwOi_rey7OQ@mail.gmail.com> <CAKD1Yr03zsuSBqPegs6RNbBqnJizUOLZwH+rNDi1Ocg4k+mARQ@mail.gmail.com> <20170928030630.DD2D08867238@rock.dv.isc.org> <alpine.DEB.2.20.1709280753080.18564@uplift.swm.pp.se> <20170928074105.BCB99886E538@rock.dv.isc.org> <911FED7C-63A7-4F55-A3FE-F97B492E4E82@consulintel.es>
In-reply-to: Your message of "Thu, 28 Sep 2017 10:04:03 +0200." <911FED7C-63A7-4F55-A3FE-F97B492E4E82@consulintel.es>
Date: Thu, 28 Sep 2017 18:31:31 +1000
Message-Id: <20170928083131.B6CD1886F0C8@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/BO4h8wAXX3odpKwbU0CMxm0sR2U>
Subject: Re: [v6ops] 464xlat case study (was reclassify 464XLAT as standard instead of info)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Sep 2017 08:33:03 -0000

In message <911FED7C-63A7-4F55-A3FE-F97B492E4E82@consulintel.es>, JORDI PALET M
ARTINEZ writes:
> You can have a DNS validator, aware of DNS64.
>
> In the worst case, if you dont like having a DNS validator aware of
> DNS64, a much simpler solution is to NOT use DNS64.
>
> 464XLAT works also in that scenario, you just force all the IPv4-only
> traffic to be translated at both sides the CLAT and the PLAT. This is not
> worse than when you do NAT44.
>
> As this traffic is going to be less and less IPv4, again this is not an
> issue.
>
> Regards,
> Jordi

Please go and re-read what is below.  You cannot discover the prefix
using correctly configured DNS software as things currently stand.

Now if you tell IANA to add a insecure delegation for ipv4only.arpa
one can discover the prefix but as things currently stand it is
impossible.

Mark

> -----Mensaje original-----
> De: v6ops <v6ops-bounces@ietf.org> en nombre de Mark Andrews
> <marka@isc.org>
> Responder a: <marka@isc.org>
> Fecha: jueves, 28 de septiembre de 2017, 9:42
> Para: Mikael Abrahamsson <swmike@swm.pp.se>
> CC: "Heatley, N, Nick, TQB R" <nick.heatley@bt.com>, IPv6 Ops WG
> <v6ops@ietf.org>, james woodyatt <jhw@google.com>
> Asunto: Re: v6ops 464xlat case study (was reclassify 464XLAT as standard
> instead of info)
>
>
>     In message <alpine.DEB.2.20.1709280753080.18564@uplift.swm.pp.se>,
> Mikael Abrah
>     amsson writes:
>     > So while I sympathize your "breaks DNSSEC" objection, 464XLAT
> actually
>     > doesn't do that. DNS64 does. If all devices had 464XLAT then you
> wouldn't
>     > have to do DNS64 (apart from the well-known "prefix detection"
> zones.
>
>     You do know the RFC 7050 doesn't work with DNSSEC validation enabled.
>     RFC 7050 specifies CD=0.
>
>         ipv4only.arpa/AAAA (CD=0) -> validating recursive server
>     			         (or local validating cache)
>         ipv4only.arpa/AAAA (CD=0) -> DNS64 server
>         ipv4only.arpa/AAAA ANCOUNT>0 -> validating recursive server
>     			        (or local validating cache)
>
>                     rejected as ipv4only.arpa is signed.
>
>         SERVFAIL -> client
>
>     Lets try with CD=1
>
>         ipv4only.arpa/AAAA (CD=1) -> validating recursive server
>     			         (or local validating cache)
>         ipv4only.arpa/AAAA (CD=1) -> DNS64 server (no synthesis as CD=1)
>         ipv4only.arpa/AAAA ANCOUNT=0 -> validating recursive server
>     			            (or local validating cache)
>         ipv4only.arpa/AAAA ANCOUNT=0 -> client (no prefixea found)
>
>     To get it to work the validating recursive server has to detect
>     that prefix discover is occuring.  Perform its own prefix discovery.
>     Synthesis a prefix discover response.
>
>     So yes 464XLAT does require DNSSEC to be broken.
>
>     Mark
>     --
>     Mark Andrews, ISC
>     1 Seymour St., Dundas Valley, NSW 2117, Australia
>     PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
>
>     _______________________________________________
>     v6ops mailing list
>     v6ops@ietf.org
>     https://www.ietf.org/mailman/listinfo/v6ops
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.consulintel.es
> The IPv6 Company
>
> This electronic message contains information which may be privileged or
> confidential. The information is intended to be for the exclusive use of
> the individual(s) named above and further non-explicilty authorized
> disclosure, copying, distribution or use of the contents of this
> information, even if partially, including attached files, is strictly
> prohibited and will be considered a criminal offense. If you are not the
> intended recipient be aware that any disclosure, copying, distribution or
> use of the contents of this information, even if partially, including
> attached files, is strictly prohibited, will be considered a criminal
> offense, so you must reply to the original sender to inform about this
> communication and delete it.
>
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email