Re: [v6ops] draft-palet-v6ops-nat64-deployment discussion
Andrew Sullivan <ajs@anvilwalrusden.com> Tue, 29 May 2018 17:57 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DC41126B6D for <v6ops@ietfa.amsl.com>; Tue, 29 May 2018 10:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=EGU2Yo9y; dkim=pass (1024-bit key) header.d=yitter.info header.b=jelxWfoM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZlrMWeFYvH3N for <v6ops@ietfa.amsl.com>; Tue, 29 May 2018 10:57:49 -0700 (PDT)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D757120047 for <v6ops@ietf.org>; Tue, 29 May 2018 10:57:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id A1608BDEF9 for <v6ops@ietf.org>; Tue, 29 May 2018 17:57:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1527616638; bh=amWTD07WT1m9g2xs2u+KeKqQ1HODgw8mT6+nfWLav3U=; h=Date:From:To:Subject:References:In-Reply-To:From; b=EGU2Yo9y2RgjurOMaAVOJIEjupbC+Cr4pygFsIO7oQlmuHljUj5LDfnm2L7vSphsj KQQloOc7cUOxfmZYyuxyo1R4AGwS5MxR4SaWQp57A09kwYEqGVRACy2J4hLp17txiG 7eU9DAtpdGWAvvW3ml8XjEcHBWvUAahjRAS8Lang=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wY3t0jQBZc6n for <v6ops@ietf.org>; Tue, 29 May 2018 17:57:12 +0000 (UTC)
Date: Tue, 29 May 2018 13:57:09 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1527616631; bh=amWTD07WT1m9g2xs2u+KeKqQ1HODgw8mT6+nfWLav3U=; h=Date:From:To:Subject:References:In-Reply-To:From; b=jelxWfoMjPqTreEZctEq+OChL+FOmhxa8WHFLOEJhf525kIm+PsGYmfpdMZfJ9+B2 /25G3xOJ6fdHTTs0GYXNpb1h0E2UdTVOKQVOV/5bPoQrSV2HNlEASE6U/kHeDzK0QD viYu1fmdKuZaJER+bBVwfea3JtqFJ7x3Ngj/Jjfs=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: v6ops@ietf.org
Message-ID: <20180529175709.GI19425@mx4.yitter.info>
References: <C9183F53-FF89-4FA2-9787-B238A5BCA21F@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <C9183F53-FF89-4FA2-9787-B238A5BCA21F@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/bDLYkegeHoU1mDtBqGdhB63YdTk>
Subject: Re: [v6ops] draft-palet-v6ops-nat64-deployment discussion
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2018 17:57:52 -0000
Hi, On Sun, May 13, 2018 at 07:07:18PM -0700, Fred Baker wrote: > Considering https://tools.ietf.org/html/draft-palet-v6ops-nat64-deployment-00, discussed at IETF 101 using the slides at https://datatracker.ietf.org/meeting/101/materials/slides-101-v6ops-nat64-deployment-guidelines-in-operator-and-enterprise-networks-00. I'd like to invite discussion on the list. What thoughts do folks have on this draft? > Thanks for asking. I have read the draft. In section 2, I find this claim bizarre: If a device connected to an IPv6-only WAN queries for a domain name in a signed zone, by means of a recursive name server that supports DNS64, and the result is a synthesized AAAA record, and the recursive name server is configured to perform DNSSEC validation and has a valid chain of trust to the zone in question, it will cryptographically validate the negative response from the authoritative name server. So, the recursive name server actually lie to the client device, Of course they are "lying" to the client: that's literally the feature. What the DNS64 mechanism does is give you answers for a AAAA record when you otherwise wouldn't get one. And indeed, a validating DNS64 resolver can give you that synthetic AAAA with greater confidence, having validated that the AAAA really for sure doesn't exist. Similarly, If the client device performs DNSSEC validation on the AAAA record, it will fail as it is a synthesized record. This is only true if the "client device" is NAT64-oblivious. That point is made at some length in RFC 6147, in sections 3, 5.5, and 6.2. It isn't like we didn't think about this. Essentially all of section 2 is covered at length in RFC 6147; and the "obvious solution" contained in this section is rather non-obvious to me, given that such a requirement is both beyond the means of the person who has the problem and also, in fact, the very problem NAT64/DNS64 is trying to mitigate. Indeed, if the solution were just, "Everyone should deploy IPv6," we wouldn't need NAT64/DNS64 at all. When we wrote DNS64, we made the assumption (which I think we made clear in RFC 6147) that it was sufficiently early in the validator-deployment curve that it would be ok to break certain DNSSEC assumptions for people who were really stuck in a NAT64/DNS64-needing world. Validators could come to know about NAT64, could perform the necessary discovery, and could do their own synthesis. This is why we overloaded the CD bit. (I am aware that Mark Andrews hated that decision, but it was the only one on offer unless we wanted to do multiple round trips for every one of these cases -- something I still think would have been a bad idea. And it was the WG consensus; Mark was in the rough.) In section 3, there are some arguments for deployment scenarios that are explicitly ruled out by NAT64/DNS64. In particular, if 3.a. is true then the validating resolvers need to be DNS64-aware too (as RFC 6147 pointed out); if not, then they can't validate. 3.b. was always a known issue with NAT64/DNS64, and my position then (and now) was that we weren't trying to make this perfect, we were trying to mitigate pain. I have been pleasantly surprised by the success of RFC 6877, which seems to me to be a partial answer to the limitations of NAT64/DNS64. But I did not believe then, and I do not believe now, that we should make the transition services perfect. We need to make them just good enough that most things mostly work, and rely on commercial pressure (particularly from lousy performance) to ensure that people who are IPv4 only get the message. Section 3.1 describes a case that simply doesn't work: the whole point of publishing NAT64 and DNS64 together was to make complementary things that worked together. I am struggling to imagine what conceivable value this would be (or in what world random authoritative servers on the Internet are going to configure synthetic records for everyone else). In general, I find the use cases to be improbable. Anyone who is willing to go to the effort of deploying NAT64 or 464XLAT is going to be able to deploy DNS64 too. Virtually nobody is doing DNSSEC validation in endpoints even today, and virtually everyone who is has the capacity to do synthesis themselves as well. So, I don't really understand what the document is trying to do. I think it would be useful to tell people, "If you're going to deploy NAT64, you need DNS64, and here are some limitations." This document seems instead to pretend that there are some sorts of mitigations for most of these issues, some of which appear to involve getting other people on the Internet to do things. I don't see how it helps any transition, and I don't see how it helps people trying to deploy NAT64+DNS64 to cloud the water with a bunch of scenarios that won't work and were never expected to work. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… STARK, BARBARA H
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… JORDI PALET MARTINEZ
- [v6ops] draft-palet-v6ops-nat64-deployment discus… Fred Baker
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… Lencse Gábor
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… JORDI PALET MARTINEZ
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… Lencse Gábor
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… JORDI PALET MARTINEZ
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… Andrew Sullivan
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… JORDI PALET MARTINEZ
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… Andrew Sullivan
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… Lee Howard
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… JORDI PALET MARTINEZ
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… JORDI PALET MARTINEZ
- Re: [v6ops] draft-palet-v6ops-nat64-deployment di… Fred Baker