[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT64 and DNSSec

To: marcelo bagnulo <marcelo@it.uc3m.es>
Subject: Re: NAT64 and DNSSec
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Thu, 27 Mar 2008 10:04:36 +0100
Cc: v6ops@ops.ietf.org, Kurt Erik Lindqvist <kurtis@kurtis.pp.se>, joao@isc.org, Liman Lars-Johan <liman@autonomica.se>, Ihrén Johan <johani@autonomica.se>, mcr@sandelman.ca, Mark_Andrews@isc.org
In-reply-to: <47EA94A0.20503@it.uc3m.es>
References: <47EA94A0.20503@it.uc3m.es>

On 26 mrt 2008, at 19:23, marcelo bagnulo wrote:

We have v4 initiated communications and v6 intiiated communications.
In v6 initiated communications, the DNS reply will be recieved by av6-only node and will contain a AAAA record. This will be asynthetic AAAA record containe a v6 address. It is possible that thev6 address is some for of v4 mapped addresses, so it would bepossible to validate the synthtic AAAA record from the original Arecord, (if the v6 prefix is well known)


Right. However, this requires changes on the v6 host.

In v4 initiated communications, we are not so lucky, cause the replywill be a synthtic A record, contianing a v4 address, that is likelyto be the one of the translator, and has no relation with theoriginal v6 address.


What kind of solution do you have in mind here?

For v6->v4, the IPv4 address is mapped to IPv6 space locally. I.e., ifyou connect to the network elsewhere, you see a different mapping.This is easy because a 32 bit space fits into a 128 bit space 2^96times.

However, for v4->v6 there aren't even enough IPv4 address bits to mapthe IPv6 space into the IPv4 space _once_, let alone multiple times inmultiple locations. If, on the other hand, we map a subset of the IPv6space into the IPv4 space once, this mapping is globally unique so itcan be published in the DNS, which means that it can be signed withDNSSEC.

- Level 2: another option is to include both the EDNS0 tag and alsothe original information of the original RR, including the originaladdress and the signature information. this would allow to verifythe original packet, but then we need to verify the binding betweenthe original address and the one actually included int eh syntheticDNS RR. In the case of v6 initiated communications, this is possiblecause the v6 address included in the synthtic record is related tothe original v4 address.

Right, and then a NAT-PT/DNSSEC aware host can perform the DNSSECchecks and the only thing it has to take on faith are the 96 top bitsin the synthetic response.


These bits could be signed in some way, too, if desired.

Follow-Ups:
- Re: NAT64 and DNSSec
  - From: marcelo bagnulo <marcelo@it.uc3m.es>

References:
- NAT64 and DNSSec
  - From: marcelo bagnulo <marcelo@it.uc3m.es>

Prev by Date: [Fwd: [BEHAVE] ICE and v4v6NATs]
Next by Date: Re: multihoming requirement and NAT64
Previous by thread: NAT64 and DNSSec
Next by thread: Re: NAT64 and DNSSec
Index(es):
- Date
- Thread