[v6ops] draft-palet-v6ops-464xlat-opt-cdn-caches impact on DNS privacy

JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Mon, 18 November 2019 14:30 UTC

Return-Path: <prvs=122534dadc=jordi.palet@consulintel.es>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 459731201DB for <v6ops@ietfa.amsl.com>; Mon, 18 Nov 2019 06:30:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id WZst7ZsySXyf for <v6ops@ietfa.amsl.com>; Mon, 18 Nov 2019 06:30:17 -0800 (PST)
Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83097120105 for <v6ops@ietf.org>; Mon, 18 Nov 2019 06:30:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1574087413; x=1574692213; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:Message-ID:Thread-Topic:Mime-version: Content-type:Content-transfer-encoding; bh=BA58wHpm6Sy3/OpDEDasg zsBjUsR5XXoCmH6KiWcKuc=; b=Q/WtimwAB6/1YlHMSAdIiHlIrXMHCafn8Ydd9 xnQrfvUKOLQK7A/6zYxM7EiLigHQF9eb+05zXW38SV+sreUH9W8SwwD5yUsvGTpm YZTlxSfRY8MXhin17al7ET23UJvaEC/0phsf4Q5naG4RX+Z1gt8w8A57p/m6FD6x r8grTM=
X-MDAV-Result: clean
X-MDAV-Processed: mail.consulintel.es, Mon, 18 Nov 2019 15:30:13 +0100
X-Spam-Processed: mail.consulintel.es, Mon, 18 Nov 2019 15:30:13 +0100
Received: from [] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50006471788.msg for <v6ops@ietf.org>; Mon, 18 Nov 2019 15:30:12 +0100
X-MDHelo: []
X-MDArrival-Date: Mon, 18 Nov 2019 15:30:12 +0100
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=122534dadc=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: v6ops@ietf.org
User-Agent: Microsoft-MacOutlook/10.1f.0.191110
Date: Mon, 18 Nov 2019 22:30:02 +0800
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: <v6ops@ietf.org>
Message-ID: <4727C58E-8A79-43C1-9ED6-27D5FB6D5628@consulintel.es>
Thread-Topic: draft-palet-v6ops-464xlat-opt-cdn-caches impact on DNS privacy
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/ln9VmWHiO_nc-5tmaQqvIyHwu4s>
Subject: [v6ops] draft-palet-v6ops-464xlat-opt-cdn-caches impact on DNS privacy
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 14:30:18 -0000

Hi all,

Jared and Fred have asked the same question during the WG meeting, for different scenarios.

We have described this under section 4.2.12 (foreign DNS), and we believe that it is not an issue.

Anyway, here is a short clarification on that.

a) If a device/app is not using the DNS proxy from the CE, the optimization will not be done for that device/app. The EAMT entry will not be created.

b) Consequently, the same apply if we are talking about DNS privacy (DoT, DoH, DoQ, etc.).

c) If the DNS is modified (even if not using DNS privacy) in the OS, will not have impact for the same reasons, and even less when we are talking about a dual-stack OS. Remember that we only create the EAMT if an IPv4-only device is detected using the CLAT+DNS proxy. If a dual-stack devices is being detected as IPv4-only, the result is the same as if the device is using IPv6. Even if the device uses HE to fall back from IPv6 (because IPv6 is not working) to IPv4, the device will not be able to connect neither with IPv4 or IPv6, because the access is IPv6-only (this is described in section 4.2.11).

d) If the user modify the DNS in the CE, the optimization is not affected, because it doesn't requires using the ISP DNS, it is based in using the CE DNS proxy.

e) You can imagine combinations of the above scenarios and the result is the same. Either the optimization is not done, or not affected, but I don't think there is any negative impact.

Now, how it changes all this if the scenario is not a residential user with a CE, but an enterprise?

We didn't considered this a different case, because I think the enterprise will be c or d above, or both of them. In fact, it may happen that the enterprise router is not supporting the optimization, or it has been disabled via GUI or CLI.

If the enterprise is already doing something to avoid DNS privacy, because the optimization is not "changing" the way a "foreign DNS" is working, we don't impact on that.

The optimization is based only in using the CE DNS proxy. Enterprises, unless they are SMEs, typically will have their own DNS proxy, so no optimization is performed. This is not a big impact, because the "main" target of the optimization is not an old STB or SmartTV uses from time to time in an enterprise, but the massive residential users (which are the ones, in general, creating more traffic to the CDNs from IPv4-only devices).

Does it makes sense?

Fred, others, if you believe the way enterprises are trying to avoid DNS privacy may impact this, can you point to specific documents?



IPv4 is over
Are you ready for the new Internet ?
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.