Re: [v6ops] NAT64/DNS64 and DNSSEC
Philip Homburg <pch-v6ops-3@u-1.phicoh.com> Tue, 28 July 2015 21:44 UTC
Return-Path: <pch-bBB316E3E@u-1.phicoh.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B95C51B31A1 for <v6ops@ietfa.amsl.com>; Tue, 28 Jul 2015 14:44:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.6
X-Spam-Level:
X-Spam-Status: No, score=-4.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0VEgjpDSeSr4 for <v6ops@ietfa.amsl.com>; Tue, 28 Jul 2015 14:44:54 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [130.37.15.35]) by ietfa.amsl.com (Postfix) with ESMTP id 560011B2AB8 for <v6ops@ietf.org>; Tue, 28 Jul 2015 14:44:52 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (Smail #91) id m1ZKCg7-0000CdC; Tue, 28 Jul 2015 23:44:51 +0200
Message-Id: <m1ZKCg7-0000CdC@stereo.hq.phicoh.net>
To: v6ops@ietf.org
From: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
Sender: pch-bBB316E3E@u-1.phicoh.com
References: <alpine.DEB.2.02.1507230910190.11810@uplift.swm.pp.se> <55B09AE5.4040609@gmail.com> <2BBE839B-37FB-4EA2-982E-58028E7A13B6@nominum.com> <55B0F344.4090005@gmail.com> <ED7E283A-0430-4D4E-87A6-ED9FD8DFC6F4@nominum.com> <m1ZIYIw-0000EuC@stereo.hq.phicoh.net> <CAAedzxrWExsiyh4hhsfJTufuRVM_67f2tGWkHCLc9kiduTU0hg@mail.gmail.com> <88CAA5385EB5404392BF93106C8C53F89636B43DE3@HE111507.emea1.cds.t-internal.com>
In-reply-to: Your message of "Tue, 28 Jul 2015 21:58:12 +0200 ." <88CAA5385EB5404392BF93106C8C53F89636B43DE3@HE111507.emea1.cds.t-internal.com>
Date: Tue, 28 Jul 2015 23:44:51 +0200
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/pqCCk2pSa29VAt_V9Pj872c3QKw>
Subject: Re: [v6ops] NAT64/DNS64 and DNSSEC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2015 21:44:56 -0000
In your letter dated Tue, 28 Jul 2015 21:58:12 +0200 you wrote: > but isn't there a gap that when performing the RFC7050 64pref > detection by querying ipv6only.arpa, an attacker can spoof this > answer (DNSSEC won't work here, for example, the attacker - when > between the client and the DNS - can return for example > 2001:db8::192.0.0.170 (where 2001:db8:: is a prefix owned by the > attacker)) and then attract all IPv4 traffic from the victim? > > Nevertheless, an answer to the proliferation of DNSSEC and at the > same time increasing usage of DNS64/NAT has to be found, not to > stop the success of one or the other. Yes, that seems to be a very tricky problem. One option is perform local translation only for 64:ff9b::/96. This would force operators to use the well known prefix, but it has to advantage that the prefix can be filtered at the border of each network. And an attacker will be quite visible trying to get this traffic by manipulating routing protocols. A second approach is for the network to signal that there is no IPv4 present. For example, by not including a default route in DHCPv4 or otherwise signaling in DHCPv4 that there is no IPv4. In this case, if there is a valid IPv4 config, the library can refuse to perform the synthesis. This would leave all dual stack networks unaffected. Performing the AAAA lookup on ipv4only.arpa over tcp would require the attacker to be on the path to the resolver. An alternative to requiring 64:ff9b::/96, would be to insist that the NAT64 gateway and the DNS64 are in the same /48. That would require an attacker to spoof DNS resolvers in RAs or DHCPv6, in which case all bets are off. Ultimately, this only affects DNSSEC signed IPv4-only targets. The obvious solution is that if those sites care about security, they should add a AAAA.
- [v6ops] NAT64/DNS64 and DNSSEC Mikael Abrahamsson
- Re: [v6ops] NAT64/DNS64 and DNSSEC Brian E Carpenter
- Re: [v6ops] NAT64/DNS64 and DNSSEC Mikael Abrahamsson
- Re: [v6ops] NAT64/DNS64 and DNSSEC Heatley, Nick
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Czerwonka Michał 1 - Hurt
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Brian E Carpenter
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Erik Kline
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Heatley, Nick
- Re: [v6ops] NAT64/DNS64 and DNSSEC holger.metschulat
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ca By
- Re: [v6ops] NAT64/DNS64 and DNSSEC Fred Baker (fred)
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ondřej Caletka
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC mohamed.boucadair
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Czerwonka Michał 1 - Hurt
- Re: [v6ops] NAT64/DNS64 and DNSSEC Erik Kline
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Ted Lemon
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg
- Re: [v6ops] NAT64/DNS64 and DNSSEC Gert Doering
- Re: [v6ops] NAT64/DNS64 and DNSSEC Philip Homburg