IETF Logo Mail Archive

Re: [v6ops] NAT64/DNS64 and DNSSEC

Philip Homburg <pch-v6ops-3@u-1.phicoh.com> Wed, 29 July 2015 13:13 UTC

Return-Path: <pch-bBB316E3E@u-1.phicoh.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E8241AC3B1 for <v6ops@ietfa.amsl.com>; Wed, 29 Jul 2015 06:13:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.6
X-Spam-Level:
X-Spam-Status: No, score=-4.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3awEIJC6xbW0 for <v6ops@ietfa.amsl.com>; Wed, 29 Jul 2015 06:13:40 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [130.37.15.35]) by ietfa.amsl.com (Postfix) with ESMTP id 095591AC3B0 for <v6ops@ietf.org>; Wed, 29 Jul 2015 06:13:35 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (Smail #91) id m1ZKRAr-0000DAC; Wed, 29 Jul 2015 15:13:33 +0200
Message-Id: <m1ZKRAr-0000DAC@stereo.hq.phicoh.net>
To: v6ops@ietf.org
From: Philip Homburg <pch-v6ops-3@u-1.phicoh.com>
Sender: pch-bBB316E3E@u-1.phicoh.com
References: <alpine.DEB.2.02.1507230910190.11810@uplift.swm.pp.se> <55B09AE5.4040609@gmail.com> <2BBE839B-37FB-4EA2-982E-58028E7A13B6@nominum.com> <55B0F344.4090005@gmail.com> <ED7E283A-0430-4D4E-87A6-ED9FD8DFC6F4@nominum.com> <m1ZIYIw-0000EuC@stereo.hq.phicoh.net> <CAAedzxrWExsiyh4hhsfJTufuRVM_67f2tGWkHCLc9kiduTU0hg@mail.gmail.com> <88CAA5385EB5404392BF93106C8C53F89636B43DE3@HE111507.emea1.cds.t-internal.com> <55B8A596.80600@cesnet.cz> <m1ZKOZT-0000CeC@stereo.hq.phicoh.net> <787AE7BB302AE849A7480A190F8B933005370CE6@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <787AE7BB302AE849A7480A190F8B933005370CFE@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
In-reply-to: Your message of "Wed, 29 Jul 2015 12:43:17 +0000 ." <787AE7BB302AE849A7480A190F8B933005370CFE@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
Date: Wed, 29 Jul 2015 15:13:32 +0200
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/rGDPrXvTTPoYXR_RlY_J9XhrhcM>
Subject: Re: [v6ops] NAT64/DNS64 and DNSSEC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 13:13:43 -0000

In your letter dated Wed, 29 Jul 2015 12:43:17 +0000 you wrote:
>I forgot to mention that behave WG analyzed the use of DHCP and RA as candi=
>date solutions. See the analysis available at:=20
>
>* RA: https://tools.ietf.org/html/rfc7051#section-5.7=20
>* DHCPv6: https://tools.ietf.org/html/rfc7051#section-5.6=20

Seems like a really poor analysis from a security point of view. 
- DNSSEC is not taken into account
- The existing need for RA security is ignored when introducing another way
  to attack the system.

The idea to piggyback the NAT64 prefix in PCP is nice if PCP is widely 
deployed, but I'm not sure it is widely deployed enough to rely on it.

Note that if a host takes the NAT64 from PCP then all networks have to protect
PCP whether they use it or not.

v2.23.0 | Report a Bug | By Email