IETF Logo Mail Archive

Re: [v6ops] Supporting IPv6-only Networks with NAT64 and DNS64 section of draft-ietf-v6ops-rfc6555bis-01

<mohamed.boucadair@orange.com> Thu, 29 June 2017 07:03 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37026127775 for <v6ops@ietfa.amsl.com>; Thu, 29 Jun 2017 00:03:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.398
X-Spam-Level:
X-Spam-Status: No, score=-5.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xyHaK0OP2vYB for <v6ops@ietfa.amsl.com>; Thu, 29 Jun 2017 00:03:24 -0700 (PDT)
Received: from relais-inet.orange.com (mta241.mail.business.static.orange.com [80.12.66.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F57D129ACC for <v6ops@ietf.org>; Thu, 29 Jun 2017 00:03:24 -0700 (PDT)
Received: from opfedar06.francetelecom.fr (unknown [xx.xx.xx.8]) by opfedar23.francetelecom.fr (ESMTP service) with ESMTP id 5AE59160605; Thu, 29 Jun 2017 09:03:22 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.63]) by opfedar06.francetelecom.fr (ESMTP service) with ESMTP id 3CCC08006A; Thu, 29 Jun 2017 09:03:22 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM6E.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0352.000; Thu, 29 Jun 2017 09:03:21 +0200
From: mohamed.boucadair@orange.com
To: "Rajiv Asati (rajiva)" <rajiva@cisco.com>, "stephan.lagerholm@yahoo.com" <stephan.lagerholm@yahoo.com>
CC: IPv6 Ops WG <v6ops@ietf.org>
Thread-Topic: [v6ops] Supporting IPv6-only Networks with NAT64 and DNS64 section of draft-ietf-v6ops-rfc6555bis-01
Thread-Index: AQHS8CPvoUwFnRQpqU+Scvtd7jgqBqI61B6NgACnfQCAABRagIAACq+A///EfWeAAAtL0A==
Date: Thu, 29 Jun 2017 07:03:21 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933009FFCDA0@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <149670589074.3841.10812713591494006570@ietfa.amsl.com> <C22244D7-ABF6-430B-8155-8D4C1C1382DF@apple.com> <FA0D06E7-47F9-4029-81D4-2D96BFDD5576@consulintel.es> <65F3C8F4-6533-4C15-83F9-64AFC0EFFA79@apple.com> <4AC6726C-142E-48E5-95CF-2C3AD3331441@consulintel.es> <738488839.469942.1498664001646@mail.yahoo.com> <20170628220025.4FA447CB2073@rock.dv.isc.org> <280023835.899017.1498705302254@mail.yahoo.com> <47F7A2D8-9516-4E25-A673-40D6293B7CE7@isc.org>, <901072900.951551.1498711968004@mail.yahoo.com> <6450146D-C8AC-4557-8644-00EAB868E8E6@cisco.com>
In-Reply-To: <6450146D-C8AC-4557-8644-00EAB868E8E6@cisco.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.1]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B933009FFCDA0OPEXCLILMA3corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/vw_AoZ5-V4qCqGuIyMfemLcXaqg>
Subject: Re: [v6ops] Supporting IPv6-only Networks with NAT64 and DNS64 section of draft-ietf-v6ops-rfc6555bis-01
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2017 07:03:26 -0000

Hi Rajiv,

Please see inline.

Cheers,
Med

De : v6ops [mailto:v6ops-bounces@ietf.org] De la part de Rajiv Asati (rajiva)
Envoyé : jeudi 29 juin 2017 08:20
À : stephan.lagerholm@yahoo.com
Cc : IPv6 Ops WG
Objet : Re: [v6ops] Supporting IPv6-only Networks with NAT64 and DNS64 section of draft-ietf-v6ops-rfc6555bis-01

Perhaps, have section 7 for IPv6-only network with 2 sub-sections -

7.1 pointing out transition technologies such as 464XLAT based on DNS64/NAT64 that breaks DNSSEC for v4 destinations.

7.2 pointing out that MAP-T/E not breaking DNSSEC since there is no DNS64 involved.
[Med] This is also true for other solutions, including NAT64. See, for example:

·         https://tools.ietf.org/html/rfc6147#section-5.5

·         https://tools.ietf.org/html/rfc7225#section-3.1


I still think it should be outside the scope of this draft to tackle DNSSEC related issues when using DNS64.

Agreed.

Cheers,
Rajiv Asati
Distinguished Engineer, Cisco Services


On Jun 28, 2017, at 9:53 PM, "stephan.lagerholm@yahoo.com<mailto:stephan.lagerholm@yahoo.com>" <stephan.lagerholm@yahoo.com<mailto:stephan.lagerholm@yahoo.com>> wrote:
Hi Mark,
>        Mark Andrews <marka@isc.org<mailto:marka@isc.org>>
>
>> On 29 Jun 2017, at 1:01 pm, stephan.lagerholm@yahoo.com<mailto:stephan.lagerholm@yahoo.com> wrote:
>>
>> Hi Mark,
>>
>> >From: Mark Andrews <marka@isc.org<mailto:marka@isc.org>>
>> >> In message <738488839.469942.1498664001646@mail.yahoo.com<mailto:738488839.469942.1498664001646@mail.yahoo.com>>, "stephan.lagerholm@yahoo.com<mailto:stephan.lagerholm@yahoo.com>" writes:
>> >> Hi David,
>> >> Thanks for adding the Supporting IPv6-only Networks with NAT64 and DNS64
>> >> section, I find it useful. However I don't think the below sentence from
>> >> this section is accurate. I can't think of any changes that are needed on
>> >> a client device to run NAT64/DNS64.
>> >
>> >Well you obviously don't have any devices doing DNSSEC validation.
>> >DNS64 breaks DNSSEC as it changes the DNS responses from NOERROR
>> >NODATA to NOERROR DATA by synthesizing a AAAA RRset.  This from the
>> >client's perspective is not different than forging a fake AAAA RRset
>> >that is trying to hijack the traffic stream.
>>
>> This case and the remedy is already covered in RFC 6147 section 3. I don't think it makes sense to bring it up in this draft.
>
>RFC 6147 states that end devices need to be upgraded.  Yes
>this is in contradiction to itself where it states that they don't need
>to be upgraded.
>
>Section 5.5.
>
>      The disadvantage to this approach is that an end point that is
>      translation-oblivious but security-aware and validating will not
>      be able to use the DNS64 functionality.  In this case, the end
>      point will not have the desired benefit of NAT64.  In effect,
>      this strategy means that any end point that wishes to do
>      validation in a NAT64 context must be upgraded to be
>      translation-aware as well.
>
>Then you have 5.5.3, turn a DNSSEC MUST NOT into a MAY
>and in doing so completely defeating the purpose of the "MUST NOT"
>on CD=1 which is to get answers which are incorrectly being rejected
>by the upstream validating resolver.
>
>      "then vDNS64 MAY perform validation,"
>
>Then you have changes to the purpose of CD which don't work
>with TTL=0 answers.
>
>The whole IETF seems to think that DNS64/NAT64 works well.  It
>doesn't when you need to use the protections that DNSSEC
>provides.  It works ok if everything else is correctly configured and
>there are no active attacks on the recursive DNS servers happening.

I agree that it does not work well if you validate on the stub resolver side. I can imagine that you could do an RFC7050 query within your validator, strip the pref64 and then validate the A record. I still think it should be outside the scope of this draft to tackle DNSSEC related issues when using DNS64. It is not going to add any clarity to Happy Eyeballs to have text around DNSSEC related issues that remains unchanged with or without this draft being implemented. I'm happy to work on an rfc6174bis with you.

/Stephan
_______________________________________________
v6ops mailing list
v6ops@ietf.org<mailto:v6ops@ietf.org>
https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email