Re: [v6ops] draft-hunek-v6ops-nat64-srv
Ted Lemon <mellon@fugue.com> Thu, 23 June 2022 19:42 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B43EC15A724 for <v6ops@ietfa.amsl.com>; Thu, 23 Jun 2022 12:42:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QbOvLFACP764 for <v6ops@ietfa.amsl.com>; Thu, 23 Jun 2022 12:42:45 -0700 (PDT)
Received: from mail-oa1-x29.google.com (mail-oa1-x29.google.com [IPv6:2001:4860:4864:20::29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28402C159496 for <v6ops@ietf.org>; Thu, 23 Jun 2022 12:42:44 -0700 (PDT)
Received: by mail-oa1-x29.google.com with SMTP id 586e51a60fabf-1048b8a38bbso763563fac.12 for <v6ops@ietf.org>; Thu, 23 Jun 2022 12:42:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xW+NA/NeK8fLUOIRUBDPCno2XAtY5Vau5naNal2PL3M=; b=KjDiPDwAC4wF6EDVi1XcR6XK1y/ZQeSR3zr6R/ohz721O/0OLvhUP/HMoKAizsAZvb vU4r1IfrBl8g7BOfrN+QeH50CCSdy3KmWcrNiw5nuQmtIKDzP8GpYLhDB7zQdckvGS3V xEZoSp0ki3ehHmBwEjzE5Oz3SlEvCfA9F5WAlW2pNDV5fFwxt6wYE6y7CDjo4EwSUsmo hsnH+JAc8j6cValDm6cpzOE06AXuxDUPY2qT6OYNzMhhHVVTgE+9eUoEh72ajokLhE/D lroW+p8ATL6mD9ERtaa4SVqiCIdAsPv0uAXzV6tbgf9jWCJPTAB6VeIUo/QAcyheTHm7 c6NA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xW+NA/NeK8fLUOIRUBDPCno2XAtY5Vau5naNal2PL3M=; b=yJJLnqgRVKsRskt7xm2flwyI2+Bi2IKzVteuBa327LcT61vnPs2DrMORTb2T/zd/1q R692z/J/ErVA5OqCcYj6N63b4bmvp3CVIqKG1RPXVCcJ8ebN7i0F4wePOiSoNYphfQ1y JaUAC92ZGup5aMLLihuxDGlARy8zBgi5R08tOcrC1/2DKkE+PUFnTjk6mOtYWIaPrJbA i9dLGnKGtvPYSBeA29T1vls4C0xWl7DPHrmcf47sS3nzJjW86oEf6JdsVu767XY4xCg/ 8Xm9itutdCcdHjjEDU1VDWL3E2SRM4qQTG+NzueBtBNkM7zhS0V6tn87D3HrNh0IGL+g IIKg==
X-Gm-Message-State: AJIora+Ei33DdtiDJCnJb4JI+ygpmB6WnUiJ+y2RJHvhXnaE4Lw5SaCq aMs6natRXXbUJkCN0YT/0cPiZFlVWfipK388GFOSZw==
X-Google-Smtp-Source: AGRyM1vVOUBsR2WGgInFMjJNso/1KXViHuK/o/Vzdm7kTUyV6Sc9sHZ5yAA27QWzXrOoG/Zryeaala5fvEZBticekSY=
X-Received: by 2002:a05:6870:b40a:b0:101:a393:4cb9 with SMTP id x10-20020a056870b40a00b00101a3934cb9mr3634754oap.12.1656013363150; Thu, 23 Jun 2022 12:42:43 -0700 (PDT)
MIME-Version: 1.0
References: <CABKBHwe5vAreog+_3dGCtUY8=f-Qa5UZDnEV8aToFYQQ9uSBvQ@mail.gmail.com>
In-Reply-To: <CABKBHwe5vAreog+_3dGCtUY8=f-Qa5UZDnEV8aToFYQQ9uSBvQ@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 23 Jun 2022 12:42:07 -0700
Message-ID: <CAPt1N1mP7mfKebsHmB0R6WSpT7PTbb8W335st+CuSkQzsrS_KA@mail.gmail.com>
To: Fred Baker <fredbaker.ietf@gmail.com>
Cc: v6ops list <v6ops@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000041175105e222a888"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/q04OmUHHcTdEHny828N-FCeLWfA>
Subject: Re: [v6ops] draft-hunek-v6ops-nat64-srv
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2022 19:42:49 -0000
Quick review of the document: There is a quick fix provided by the [RFC8880] that the Well-Known name > should be treated differently - resolved by autoconfigured resolver on a > specific outbound interface only. However, this would mean that the > application/system stub resolver has to keep track of the source of > configured DNS resolvers, which may be an unrealistic expectation. It is generally the case that a resolver such as DoH that attempts to look up special-use domains such as "ipv4only.arpa," "home.arpa," etc will fail and provide a bad user experience. The point being, resolvers already have to solve this problem—it's not specific to IPv4only.arpa. Another design property of the [RFC7050] is its incompatibility with the > DNSSEC. In order for [RFC7050] to work, the DNSSEC has to be turned off, > and even the detection phase of this method could not use it to verify the > provided information. As the network operator does not own the 'arpa.' > domain, it cannot properly sign the AAAA record for the Well-Known Name. > Because of it, the first step of the NAT64 prefix detection is always > insecure. This is certainly true. Not clear why it's a problem, but it's true. E.g., we don't do DNSSEC to validate IP routes. NAT64 is essentially IP routing technology. Why do we need more security for NAT64 than for plain old IP? It is fair to say that these methods are viable solutions for system-level > NAT64 prefix detection - implementations of a system DNS stub resolver or > CLAT daemon. These methods are not so easy to implement for user-space > applications and daemons that are not so tightly integrated into an > operating system. When does it even make sense for an Application to do NAT64? Why is this being handled by an application? Can you cite a use case for this? After section 3, we skip straight to implementation without actually describing the problem that needs to be solved or why it needs to be solved. This should have been the first thing this document did. The proposed solution is not actually secure: the PTR delegation is not likely to exist in many cases, so the "application" will have to have a fall-back mechanism, and that won't be secure. Also, if the network is numbered from RFC1918 or ULA, there can't be a secure delegation of the PTR zone. Also, the document clearly excludes the application doing DNSSEC validation, so isn't the application trusting the resolver anyway? In addition, we never see a motivation for why we want this complex solution, with multiple possible NAT64 services that the client has to pick and choose from. We don't make the client pick and choose from different "network route services" if it's not doing NAT64. Why is this wanted if it _is_ doing NAT64? Bottom line: I have no idea what problem this document is trying to solve, and if there is such a problem, it's not clear to me that the document solves it, not even that it can be solved for the domain in which the document purports to be solving it. On Sun, Jun 12, 2022 at 11:01 AM Fred Baker <fredbaker.ietf@gmail.com> wrote: > With this email, let me invite commentary on draft-hunek-v6ops-nat64-srv. > Please read the draft and raise any issues you might have with it. > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] draft-hunek-v6ops-nat64-srv Fred Baker
- Re: [v6ops] draft-hunek-v6ops-nat64-srv Ted Lemon
- Re: [v6ops] draft-hunek-v6ops-nat64-srv David Schinazi
- Re: [v6ops] draft-hunek-v6ops-nat64-srv Tommy Pauly
- Re: [v6ops] draft-hunek-v6ops-nat64-srv Martin Huněk
- Re: [v6ops] draft-hunek-v6ops-nat64-srv Ted Lemon