[v6ops] Re: [EXTERNAL] New Version Notification for draft-jens-7050-secure-channel-00.txt

Brian Candler <brian@nsrc.org> Wed, 26 June 2024 19:47 UTC

Return-Path: <brian@nsrc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5319C14F73E; Wed, 26 Jun 2024 12:47:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.808
X-Spam-Level:
X-Spam-Status: No, score=-2.808 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nsrc.org header.b="Lq8Riu5h"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="B25xCbpm"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UG2XTFiuvt0S; Wed, 26 Jun 2024 12:47:32 -0700 (PDT)
Received: from fhigh1-smtp.messagingengine.com (fhigh1-smtp.messagingengine.com [103.168.172.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F419C14F6A9; Wed, 26 Jun 2024 12:47:31 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 2AFD01140193; Wed, 26 Jun 2024 15:47:31 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Wed, 26 Jun 2024 15:47:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nsrc.org; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1719431251; x=1719517651; bh=HBTav0gN2yZRyOCMuu5ppHsPmqAZIgx0TAkdQPKFKmo=; b= Lq8Riu5hibcWDAmbIoqUH1V1QTWg9dOUgQ/4JViRPQv0CyGBiu+PXqgQMPvMIb24 lgYJDxxoPqv/Wv42RMM0wjoBabN8lePmy58vcUygswuKmcfYKe9tpP+nskKoXgPd J7XKMuf6sB1DW4z5EuJaaHcMibrTsvXSlQu1TzJBtkuQgBRLzM/HhLOOglzg2pQY cvQUVrE9XMR5K/X+4OYlZl79+a2ULNsg+vP84Wf+nxAwEB0aub5gvVp15XjvXH4m YaQ0E165cM5pDtT0su4gQfJDBNZ7EJcMHqw31x0xAUoSq843MPZN1GfMylnjZjuz iZGh7foGbmY45fV4j4/yIg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1719431251; x= 1719517651; bh=HBTav0gN2yZRyOCMuu5ppHsPmqAZIgx0TAkdQPKFKmo=; b=B 25xCbpmlHIqEOn9CsfH3Zhj4eexoIQI9m50SZpKHbVzqq3RgF/zKp5VaPZSdsX45 7TdwjbYspjVzhaq74TgszPpYv2Fh2crEe4R/6RmZStfpDCCCeY5yd4U6TYrH0WnW XIAyH1gQPeSBb+nbUz4giNl7RYSFWNjW6IC8txnjqpza094uqeMV4APn2sz3CMA4 jOIW8RYJTtV5Diwt3xmMWFrrrVKcict8IB0v+y8EcZ4643gexAqOVU5qw9FVdFcV 1ytG822yKnSA9kCMNIhH6aU+uiGB01sXfz6MEN/cQFc8WslcHnE4tFcwNz7yFtBM ChvNE7SwCC8l3P4TLDHlQ==
X-ME-Sender: <xms:UnB8Zrl0xbtwq7h05XVlECXF45YFeQJU_ufjjFIIXpxJp285Qh8DQQ> <xme:UnB8Zu0Ec6pcP72fZmg2bd9fle7qCPe78KVrD9NLzB-uChPM60grLKmLQqOocEnUt BUWuMN07Fv7JjRIJmo>
X-ME-Received: <xmr:UnB8ZhpfQvH8gYdn-laFmbrU5QRqisnUaNCg8eU6G94N72P1rr6Qbaj7PrIkiJI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrtddvgddugeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepkfffgggfuffvvehfhfgjtgfgsehtjeertddtvdejnecuhfhrohhmpeeurhhi rghnucevrghnughlvghruceosghrihgrnhesnhhsrhgtrdhorhhgqeenucggtffrrghtth gvrhhnpedugeegvdeguedutdduvdekuefguedvkedtheelgeehteeuueelveetgfevudel veenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegsrh hirghnsehnshhrtgdrohhrgh
X-ME-Proxy: <xmx:UnB8ZjlGj9dCPGYDK88PvU7Q5MPgqZKhGEeW--BzWek-I_bEC2h9iw> <xmx:UnB8Zp3g5-fF4ndbH5cyQQnmtKlBlA__pV31cEgUzdXEmpmj428QMA> <xmx:UnB8ZitNKskmQQ08uvBBAyv9EkRVQXtWFPcoS8rn-6Vd547INjNgpQ> <xmx:UnB8ZtUOmYjNpuz0ptFH1o0uZj0AiJ-tr7XUrOxvl4yFrBCdoUN8Yg> <xmx:U3B8ZkTDq3DQ1Xvrf_RHxeUYmetYKXsM5CIEgnrIC0Y2O3J2CJvWrS1k>
Feedback-ID: i8f09498f:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 26 Jun 2024 15:47:30 -0400 (EDT)
Message-ID: <c261c1ef-12fd-4fc7-b1ed-1d4886eb6b8e@nsrc.org>
Date: Wed, 26 Jun 2024 20:47:28 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Tommy Jensen <Jensen.Thomas@microsoft.com>, "dnsop@ietf.org" <dnsop@ietf.org>
References: <171938023258.233563.15620604196859383340@dt-datatracker-5864469bc9-n5hqk> <PH0PR00MB1350CE1FF1162D8C77FEE918FAD62@PH0PR00MB1350.namprd00.prod.outlook.com> <a2756f5f-52d8-4529-bb1a-166bc80f5b96@nsrc.org> <PH0PR00MB13527A4B2814F8748808D3E3FAD62@PH0PR00MB1352.namprd00.prod.outlook.com>
Content-Language: en-GB
From: Brian Candler <brian@nsrc.org>
In-Reply-To: <PH0PR00MB13527A4B2814F8748808D3E3FAD62@PH0PR00MB1352.namprd00.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: B3BGRT5SWRGMSC3Y66DWJ4FDN5FSETTZ
X-Message-ID-Hash: B3BGRT5SWRGMSC3Y66DWJ4FDN5FSETTZ
X-MailFrom: brian@nsrc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: V6 Ops List <v6ops@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [v6ops] Re: [EXTERNAL] New Version Notification for draft-jens-7050-secure-channel-00.txt
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/_QU9qRZN3FtwuzTXU8sql2bjCJ4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>

On 26/06/2024 17:01, Tommy Jensen wrote:
> One use case could be 8781 is harder for apps above the networking 
> stack to read, which applies to NAT64+DNS64 in the absence of 464XLAT 
> and apps that are IPv6 aware trying to reach IPv4 only destinations. I 
> might be tossing a match into fuel here, but to answer your question, 
> I think we need to first answer "what is our recommended story for 
> IPv6-aware apps communicating with IPv4-only peers when the OS gives 
> it no IPv4 address or CLAT?"

That is true, although your question implies that applications 
themselves are going to be embedding their own CLAT.

The possibility was raised on v6ops recently of putting CLAT-type 
functionality into libc, which in principle should be simple to do. That 
would indeed require a way for it to obtain the received PREF64 
value(s). I would imagine that some networking daemon would write those 
values to a file, which is read by libc whenever it wants to map an IPv4 
socket to an IPv6 one. That seems to me entirely an internal matter 
between the OS and libc, just as, say, determining which NTP servers to 
use based on DHCP responses.

Furthermore: increasingly applications are performing their own DNS 
resolution, using DNS configurations which are not those set up by the 
local network administrator (e.g. DoH to third-party service). Those 
will comprehensively defeat DNS64 as a prefix detection mechanism.

I was trying not to cloud the issue in my previous remark, but I might 
as well add additional fuel to the fire now: should DNS64 itself be 
deprecated? Once you have 464XLAT then you don't need it at all, and you 
don't need to pretend to applications that IPv4-only servers have IPv6 
addresses.

Regards,

Brian.