Re: [v6ops] NAT64/DNS64 and DNSSEC

<mohamed.boucadair@orange.com> Wed, 29 July 2015 12:38 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D93581A8A44 for <v6ops@ietfa.amsl.com>; Wed, 29 Jul 2015 05:38:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FmY-y0Cgh2iz for <v6ops@ietfa.amsl.com>; Wed, 29 Jul 2015 05:38:54 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias244.francetelecom.com [80.12.204.244]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 256BB1A8A3E for <v6ops@ietf.org>; Wed, 29 Jul 2015 05:38:54 -0700 (PDT)
Received: from omfeda08.si.francetelecom.fr (unknown [xx.xx.xx.201]) by omfeda10.si.francetelecom.fr (ESMTP service) with ESMTP id 8ABC7374784; Wed, 29 Jul 2015 14:38:52 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [10.114.31.18]) by omfeda08.si.francetelecom.fr (ESMTP service) with ESMTP id 6DD70384116; Wed, 29 Jul 2015 14:38:52 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM34.corporate.adroot.infra.ftgroup ([fe80::cba:56d0:a732:ef5a%19]) with mapi id 14.03.0248.002; Wed, 29 Jul 2015 14:38:52 +0200
From: <mohamed.boucadair@orange.com>
To: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
Thread-Topic: [v6ops] NAT64/DNS64 and DNSSEC
Thread-Index: AQHQyekc+iplqWA6RkKlEMa3/B/mHZ3yYmyQ
Date: Wed, 29 Jul 2015 12:38:51 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933005370CE6@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <alpine.DEB.2.02.1507230910190.11810@uplift.swm.pp.se> <55B09AE5.4040609@gmail.com> <2BBE839B-37FB-4EA2-982E-58028E7A13B6@nominum.com> <55B0F344.4090005@gmail.com> <ED7E283A-0430-4D4E-87A6-ED9FD8DFC6F4@nominum.com> <m1ZIYIw-0000EuC@stereo.hq.phicoh.net> <CAAedzxrWExsiyh4hhsfJTufuRVM_67f2tGWkHCLc9kiduTU0hg@mail.gmail.com> <88CAA5385EB5404392BF93106C8C53F89636B43DE3@HE111507.emea1.cds.t-internal.com> <55B8A596.80600@cesnet.cz> <m1ZKOZT-0000CeC@stereo.hq.phicoh.net>
In-Reply-To: <m1ZKOZT-0000CeC@stereo.hq.phicoh.net>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.3]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 6.2.1.2478543, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2015.7.29.120616
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/XyIoqj0YHyLbhO4DNd46gn_J70Q>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] NAT64/DNS64 and DNSSEC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 12:38:56 -0000

Dear Philip, 

FWIW, another solution is defined here: https://tools.ietf.org/html/rfc7225#section-3.

Cheers,
Med 

> -----Message d'origine-----
> De : v6ops [mailto:v6ops-bounces@ietf.org] De la part de Philip Homburg
> Envoyé : mercredi 29 juillet 2015 12:27
> À : v6ops@ietf.org
> Objet : Re: [v6ops] NAT64/DNS64 and DNSSEC
> 
> In your letter dated Wed, 29 Jul 2015 12:06:14 +0200 you wrote:
> >That is why there is a requirement in RFC7050 Section 3.1. to validate
> >network-specific NAT64 prefix using reverse and forward DNSSEC secured
> >queries. The only problem is that there is no way so far how to seed the
> >list of trusted NSP domains. Instead of asking users "Do you want to
> >trust the network prefix dns64.example.org?", there could probably be
> >some matching with domain name received by other means like DHCP or
> DNSSL=
> >=2E
> >
> >Of course, using the Well-known prefix is on the safe side, and should
> >be IMO used wherever applicable.
> 
> It seems to me that Section 3.1 is very far from something can be
> implemented
> in a practical way in a consumer device.
> 
> I.e. if a user with a mobile device connects to a random network that
> employs
> NAT64, there is essentially no way for an ordinary user to verify if the
> prefix is valid or not.
> 
> Now if there would be DHCPv6 and RA options for the prefix, there would be
> no need to discover the prefix using the DNS64 resolver and the problem
> would
> reduce to whether to trust DHCPv6 or RA. Which is already part of the
> security model (i.e. RA guard can protect users from each other).
> 
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops