IETF Logo Mail Archive

Re: [v6ops] Supporting IPv6-only Networks with NAT64 and DNS64 section of draft-ietf-v6ops-rfc6555bis-01

"Rajiv Asati (rajiva)" <rajiva@cisco.com> Thu, 29 June 2017 06:19 UTC

Return-Path: <rajiva@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF2BE128792 for <v6ops@ietfa.amsl.com>; Wed, 28 Jun 2017 23:19:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U81XOd-ao_1q for <v6ops@ietfa.amsl.com>; Wed, 28 Jun 2017 23:19:49 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 368C0126E3A for <v6ops@ietf.org>; Wed, 28 Jun 2017 23:19:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12326; q=dns/txt; s=iport; t=1498717189; x=1499926789; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=RZI/YPqiV0HYKbi1K9OjwCJOSIfadMr5CDe3jii1aVM=; b=mBSKgbE6whFYhytz2eRIwThihMJG0ow6ZQ/UGViBKw7G2y6sUrHclUCq H8YTAeL0qZedFRosBEQ0qknwEyr9pSG/tPgXJMGOaI6W1rZkTW3cbXvPg mI9G3Si4aw2giu4snEiflktplH82s5SO7/f6o9yL5oA6Q2WqJfXLLR0i6 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C3AABVm1RZ/4oNJK1dGQEBAQEBAQEBAQEBBwEBAQEBgm9qY4EOjgWRRSKCQYVpiCaFK4IRIQEKhXACgww/GAECAQEBAQEBAWsdC4UYAQEBAQIBAQFsCwULAgEIFQMjBAcnCxMBEQIEDgWJS0wDDQgQtEOHLQOEGQEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgyeDTIFgASsLgm6CV4F2AQEOM4MdgjEFh3UMgWWEOYQDhQGHFjsCjxCEYZIXi2uJPQEfOIEKdBVJEgGCN4J8gU12AQGHAg0XB4ISAQEB
X-IronPort-AV: E=Sophos;i="5.40,279,1496102400"; d="scan'208,217";a="263744267"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 29 Jun 2017 06:19:47 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id v5T6JlLo013245 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 29 Jun 2017 06:19:47 GMT
Received: from xch-aln-005.cisco.com (173.36.7.15) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 29 Jun 2017 01:19:47 -0500
Received: from xch-aln-005.cisco.com ([173.36.7.15]) by XCH-ALN-005.cisco.com ([173.36.7.15]) with mapi id 15.00.1210.000; Thu, 29 Jun 2017 01:19:47 -0500
From: "Rajiv Asati (rajiva)" <rajiva@cisco.com>
To: "stephan.lagerholm@yahoo.com" <stephan.lagerholm@yahoo.com>
CC: Mark Andrews <marka@isc.org>, IPv6 Ops WG <v6ops@ietf.org>
Thread-Topic: [v6ops] Supporting IPv6-only Networks with NAT64 and DNS64 section of draft-ietf-v6ops-rfc6555bis-01
Thread-Index: AQHS8CPvoUwFnRQpqU+Scvtd7jgqBqI61B6NgACnfQCAABRagIAACq+A///EfWc=
Date: Thu, 29 Jun 2017 06:19:47 +0000
Message-ID: <6450146D-C8AC-4557-8644-00EAB868E8E6@cisco.com>
References: <149670589074.3841.10812713591494006570@ietfa.amsl.com> <C22244D7-ABF6-430B-8155-8D4C1C1382DF@apple.com> <FA0D06E7-47F9-4029-81D4-2D96BFDD5576@consulintel.es> <65F3C8F4-6533-4C15-83F9-64AFC0EFFA79@apple.com> <4AC6726C-142E-48E5-95CF-2C3AD3331441@consulintel.es> <738488839.469942.1498664001646@mail.yahoo.com> <20170628220025.4FA447CB2073@rock.dv.isc.org> <280023835.899017.1498705302254@mail.yahoo.com> <47F7A2D8-9516-4E25-A673-40D6293B7CE7@isc.org>, <901072900.951551.1498711968004@mail.yahoo.com>
In-Reply-To: <901072900.951551.1498711968004@mail.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_6450146DC8AC4557864400EAB868E8E6ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/DEkWUdBOtR0XUlhdgyLEsyqPzGQ>
Subject: Re: [v6ops] Supporting IPv6-only Networks with NAT64 and DNS64 section of draft-ietf-v6ops-rfc6555bis-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2017 06:19:52 -0000

Perhaps, have section 7 for IPv6-only network with 2 sub-sections -

7.1 pointing out transition technologies such as 464XLAT based on DNS64/NAT64 that breaks DNSSEC for v4 destinations.

7.2 pointing out that MAP-T/E not breaking DNSSEC since there is no DNS64 involved.

I still think it should be outside the scope of this draft to tackle DNSSEC related issues when using DNS64.

Agreed.

Cheers,
Rajiv Asati
Distinguished Engineer, Cisco Services


On Jun 28, 2017, at 9:53 PM, "stephan.lagerholm@yahoo.com<mailto:stephan.lagerholm@yahoo.com>" <stephan.lagerholm@yahoo.com<mailto:stephan.lagerholm@yahoo.com>> wrote:

Hi Mark,
>        Mark Andrews <marka@isc.org<mailto:marka@isc.org>>
>
>> On 29 Jun 2017, at 1:01 pm, stephan.lagerholm@yahoo.com<mailto:stephan.lagerholm@yahoo.com> wrote:
>>
>> Hi Mark,
>>
>> >From: Mark Andrews <marka@isc.org<mailto:marka@isc.org>>
>> >> In message <738488839.469942.1498664001646@mail.yahoo.com<mailto:738488839.469942.1498664001646@mail.yahoo.com>>, "stephan.lagerholm@yahoo.com<mailto:stephan.lagerholm@yahoo.com>" writes:
>> >> Hi David,
>> >> Thanks for adding the Supporting IPv6-only Networks with NAT64 and DNS64
>> >> section, I find it useful. However I don't think the below sentence from
>> >> this section is accurate. I can't think of any changes that are needed on
>> >> a client device to run NAT64/DNS64.
>> >
>> >Well you obviously don't have any devices doing DNSSEC validation.
>> >DNS64 breaks DNSSEC as it changes the DNS responses from NOERROR
>> >NODATA to NOERROR DATA by synthesizing a AAAA RRset.  This from the
>> >client's perspective is not different than forging a fake AAAA RRset
>> >that is trying to hijack the traffic stream.
>>
>> This case and the remedy is already covered in RFC 6147 section 3. I don't think it makes sense to bring it up in this draft.
>
>RFC 6147 states that end devices need to be upgraded.  Yes
>this is in contradiction to itself where it states that they don't need
>to be upgraded.
>
>Section 5.5.
>
>      The disadvantage to this approach is that an end point that is
>      translation-oblivious but security-aware and validating will not
>      be able to use the DNS64 functionality.  In this case, the end
>      point will not have the desired benefit of NAT64.  In effect,
>      this strategy means that any end point that wishes to do
>      validation in a NAT64 context must be upgraded to be
>      translation-aware as well.
>
>Then you have 5.5.3, turn a DNSSEC MUST NOT into a MAY
>and in doing so completely defeating the purpose of the "MUST NOT"
>on CD=1 which is to get answers which are incorrectly being rejected
>by the upstream validating resolver.
>
>      "then vDNS64 MAY perform validation,"
>
>Then you have changes to the purpose of CD which don't work
>with TTL=0 answers.
>
>The whole IETF seems to think that DNS64/NAT64 works well.  It
>doesn't when you need to use the protections that DNSSEC
>provides.  It works ok if everything else is correctly configured and
>there are no active attacks on the recursive DNS servers happening.

I agree that it does not work well if you validate on the stub resolver side. I can imagine that you could do an RFC7050 query within your validator, strip the pref64 and then validate the A record. I still think it should be outside the scope of this draft to tackle DNSSEC related issues when using DNS64. It is not going to add any clarity to Happy Eyeballs to have text around DNSSEC related issues that remains unchanged with or without this draft being implemented. I'm happy to work on an rfc6174bis with you.

/Stephan
_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email