Re: [v6ops] draft-palet-v6ops-nat64-deployment-02 comments

[JORDI PALET MARTINEZ <jordi.palet@consulintel.es>]

Do you think it makes sense today for a smart OS or app provider, knowing that that app need to talk to IPv4-only hosts, to make that app or OS, IPv6-only?



If I'm on their feet, will only make the app or OS IPv6-only once I'm 100% sure that what the peer I need to speak, is also IPv6-ready.



And by the way, this will only make sense when that OS or app provider knows for sure that their customers will get also IPv6 from their ISPs.



Or I'm missing something?



So what I'm saying is that supporting IPv6-only hosts is not making sense for now, and even if that is supported, that the ISP offers DNS64, all will get broken if the user changes the DNS servers ...



Regards,

Jordi

 

 



-----Mensaje original-----

De: Fred Baker <fredbaker.ietf@gmail.com>

Fecha: jueves, 28 de junio de 2018, 14:24

Para: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>

CC: "v6ops@ietf.org list" <v6ops@ietf.org>

Asunto: Re: [v6ops] draft-palet-v6ops-nat64-deployment-02 comments



    

    

    On Jun 28, 2018, at 1:14 AM, JORDI PALET MARTINEZ <jordi.palet@consulintel.es> wrote:

    >>>>  The major advantage of this scenario, using 464XLAT without DNS64, is

    >>>>  that the service provider ensures that DNSSEC is never broken.

    >>> 

    >>>   Yes, but at the cost of IPv6-IPv4 connectivity.

    >> 

    >>    I suppose in part I'm thinking out loud. But I do think it's important to not trivialize the lack of connectivity in that last case, which I think your current text does. Yes, DNSSEC doesn't work (doesn't validate a signature, and probably doesn't *have* a signature) with a DNS64 IPv4 embedded IPv6 Address. But it doesn't work without one either, because in the case nothing works - there is no connectivity. It's a judgement call, I suppose, but I think it's better to say it than let the installing ISP discover it and wonder what happened.

    > 

    > -> Understood. I will improve the text to avoid that trivialization. However, I don't agree it doesn't works. What happens is that in that case, the connection in that case is done using the IPv4 stack of both peers (so the dual-stack host behind the CLAT CE, only see an "A" record, so naturally use only that one).

    

    For the dual stack host behind the CLAT, yes. For the IPv6-only host, there is either no connectivity to an IPv4-only host, or it goes through the PLAT and DNSSEC is broken. There remains no connectivity using the signed DNSSEC A record, because the IPv6-only host isn't using it.

    




**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.