IETF Logo Mail Archive

Re: [v6ops] <draft-ietf-v6ops-464xlat-optimization-00.txt> - pre-(shepherd-writeup) review

Jen Linkova <furry13@gmail.com> Wed, 15 July 2020 09:23 UTC

Return-Path: <furry13@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C34E23A07E3; Wed, 15 Jul 2020 02:23:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KWArYWtIh9Iw; Wed, 15 Jul 2020 02:23:13 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76CB93A07E2; Wed, 15 Jul 2020 02:23:13 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id o38so1111690qtf.6; Wed, 15 Jul 2020 02:23:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7Bh8ea0219Tev5DDjyrZ7tncoO81Wszj4Rsi/KJ6NvA=; b=A6I2ogl0ge+dVRg7kJf1aGuA6uZVyCOP+N+0huACLzFZz2ytb9uzny0ZQcdDoP+/sE 7jFvkLaL3vLGAA7hoqV81L/9ZXQg5Cck+ukghJN+20Mb3xgmYAZfyWv/TRJGo/2f01L0 fFc7kQrxwbv+HJZNAIFVvYgo4XAWZSEFZrKgOCR/YNaBGuFLBoiM9CkIWGHll9XRszYc OyV+zhBR976LaTgg8ReqzovrQXl4QcuzKcO7fJoTd8M8XuR73MKaaJQCyG7z8uRMM3Qj /AECFxicUFtMlOGQhX3G7PKS8xA0BI4etWhg66OMrs9ROqIJKDosx660zkPscT1IDXYb bUdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7Bh8ea0219Tev5DDjyrZ7tncoO81Wszj4Rsi/KJ6NvA=; b=TIIWMlt7GUDiQsRcXYkEn9iQepUcvwZq44mcnTf2y7LWO4xLv9RMLNLq1gHiMx2FIC Hm4Nq0qCHzK6n/p52rbUP2NxLU9HBEnDWsxP0arIHRoSRp85v1QUWBb6evq7k/3l7X9y Dm7+zv4c7oXAX2PGMdesH9MkzHz+Rs8+vjijuimgRjy33x8GiUoprTmi0fIT6tqwzTYT uNhUHqXEsanEZzHWjkWD65pPq6Ci7XLErOX6MGhM8hib2N/pun9kfhih6g6dtlhiVEbR A30HrIYLEbaWQYaiNCoqR+sTU+Ait8d1+j/Lo7550mOe4Zrpa9gVl8i4q6emHC3TRYFJ r0fw==
X-Gm-Message-State: AOAM530oVmUqhjvhTtmLrxx8AbxLVC1rniMlXWqkuScGaYg1uBs/Yo/H NoOMgJL00B/DsEoTtIUtHkJ3MgLj422LuYGHq+c=
X-Google-Smtp-Source: ABdhPJz2LQ01UfhXWSkD+PNAWZSoIgGkMusHiieHdF5i6C7gghOdzEZVf+2Tyo1G2G/YhBOcW/9Ex38cZFitoYT05mo=
X-Received: by 2002:ac8:4e2d:: with SMTP id d13mr9437633qtw.52.1594804992367; Wed, 15 Jul 2020 02:23:12 -0700 (PDT)
MIME-Version: 1.0
References: <159393243745.16561.15755916877984628536@ietfa.amsl.com> <17D88CF8-B2CF-4737-910A-3D07881946BA@gmail.com> <24FDA390-8587-4366-8E4D-C6BBBB529CF8@theipv6company.com> <0B3CDBC8-3EBE-4FC4-AC5A-2DCD2480B502@theipv6company.com> <CAFU7BATueaCH5KL=-WVKZphs3fuwkOFvtmELPyQ9h9i4GBnkJw@mail.gmail.com> <CAFU7BAR8CaA6uKfm001J6fSfTNTrvyLffWfVurpBUs2HBxgPqw@mail.gmail.com> <CAFU7BARPpq=vZmS0xeS19pjK8hNRfaoq_hBcUKDbzSjimMTfUg@mail.gmail.com> <0A5FD684-199C-4979-8818-36C9B3047746@consulintel.es> <CAFU7BATHeCB2i25xw1YnVnUUbns+ZbA=2kjv-wpmMmAwP=RTiw@mail.gmail.com> <EF144D45-C4AE-48CC-B070-20D24C792153@consulintel.es>
In-Reply-To: <EF144D45-C4AE-48CC-B070-20D24C792153@consulintel.es>
From: Jen Linkova <furry13@gmail.com>
Date: Wed, 15 Jul 2020 19:23:01 +1000
Message-ID: <CAFU7BAQzBCekUQLq36OjHuSE8B9_8ZGgctpaVfQyPsZf13es=g@mail.gmail.com>
To: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
Cc: draft-ietf-v6ops-464xlat-optimization@ietf.org, Fred Baker <fredbaker.ietf@gmail.com>, warren <warren@kumari.net>, V6Ops Chairs <v6ops-chairs@ietf.org>, "Alejandro D'Egidio (Telecentro)" <adegidio@telecentro.net.ar>, V6 Ops List <v6ops@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/BPgVZrCsFAUd0k2bi53hJiUHfFE>
Subject: Re: [v6ops] <draft-ietf-v6ops-464xlat-optimization-00.txt> - pre-(shepherd-writeup) review
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2020 09:23:15 -0000

On Fri, Jul 10, 2020 at 9:29 PM JORDI PALET MARTINEZ
<jordi.palet@consulintel.es> wrote:
> [Jordi] If instead of the spoofing the AAAA, it is spoofed the A or even the AAAA (without this optimization), the result is the same. In my opinion it all depends on how and "where" the attack occurs, because the DNS cache may be poisoned in the CPE or the hosts, etc.


Sorry I should have clarified. The difference is that spoofing *one*
DNS response would affect *all* devices behind the CPE *even* if those
device are not using that CPE as a resolver and use DNS over [smth]
and/or DNSSEC. My laptop might build a secure tunnel to the DNS server
it's using and validate response using DNSSEC.
But it does not help because my TV asked for an A RR and the
corresponding AAAA was spoofed on the CPE, so now all devices in my
house can not reach that IPv4 address.

>     This is actually related to my point about 'when/how this feature gets
>     enabled'.  It's not just must be explicitly enabled by an operator, it
>     MUST be disabled if the roiter does not have IPv6 connectivity on the
>     uplink (and the question is 'how to define that').
>
> [Jordi] This nullifies the full purpose of the optimization. The idea is that the optimization is performed as easy and automatically as possible if the WAN is IPv6-only. I will say in the other way around. If, in an extreme situation, an operator has any "big" trouble with this optimization, they will use TR-069 or whatever to disable it by default.

Why can they not use TR-069 or whatever to enable it? Operators might
not have CDNs in their network, they might have enough capacity  etc -
so they might not need the optimisation at all.

>Clearly the optimization will be only enabled by the CPE if it is using 464XLAT because it has IPv6-only WAN. I'm happy to add a sentence or even a section to clarify that, but for me an optimization for 464XLAT only works if 464XLAT is working, not otherwise!

I do like the update to Section 5.2, thanks for that! However IMHO the
current version does not imply that the optimization is enabled only
if 464X:AT is enabled.
What if the device was not able to get an IPv4 address on the uplink
initially but eventually DHCPv4 succeeded?
Not sure there is any clear guidance for that.
That's why I was thinking that letting the operator make a decision if
they need this feature and enable it would make sense - those who
really need would know that they shall buy routers supporting this and
enable it. Those who do not care would not be negatively impacted.



-- 
SY, Jen Linkova aka Furry

v2.23.0 | Report a Bug | By Email