[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT64 and DNSSec

To: marcelo bagnulo <marcelo@it.uc3m.es>
Subject: Re: NAT64 and DNSSec
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Mon, 31 Mar 2008 10:59:10 +1300
Cc: George Tsirtsis <tsirtsis@googlemail.com>, v6ops@ops.ietf.org, Kurt Erik Lindqvist <kurtis@kurtis.pp.se>, joao@isc.org, Iljitsch van Beijnum <iljitsch@muada.com>, Liman Lars-Johan <liman@autonomica.se>, Ihrén Johan <johani@autonomica.se>, mcr@sandelman.ca, Mark_Andrews@isc.org
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:organization:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=JAF56buVj/izTEznTl9E36Isvo7uE68R7arEEONbfUZinCllmbJEP6ey6a/CSeypr+LmMIGkJ8ELjODNiKqeVAGZqixzlb+ESX9EtETYk2ytpF+XiGf6irRaoIWASPNVe+vwEncVdifgqJBpf4b7UbV1DCS1QYBQPzkUu0+YxMI=
In-reply-to: <47ED2086.7090400@it.uc3m.es>
Organization: University of Auckland
References: <47EA94A0.20503@it.uc3m.es> <d3886a520803270607w14a01d5doa6255387442c0140@mail.gmail.com> <47ED2086.7090400@it.uc3m.es>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

On 2008-03-29 05:44, marcelo bagnulo wrote:
> Hi George,
> 
> 
> George Tsirtsis escribió:
>> Hi Marcelo,
>>
>> I think it is important to decide up front on whether NAT64 will
>> require specific behavior from the IPv6-only nodes behind it or not.
>> v4NATs have proliferated because they are (almost) invisible to IPv4
>> nodes behind them.
>>
>>   
> 
> as currently defined the requirements allow modifications in the v6 side
> 
> (My personal opinion, is that a good mechanism should work with legacy
> (v4 and v6) hosts but it would benefit from additional features if the
> host is upgraded. For instance, DNSSec validation. For a legacy host it
> is not possible, but the mechanism should allow that if the host is
> updated, then it can restore the lost fucntionality.

I think we should aim for the "first, do no harm" principle
which indeed means

1. "no impact worse than NAT44" for the IPv4 host (i.e. no
   changes needed in the IPv4 host stack, but contortions
   like STUN and ICE may be needed).

2. "no loss of connectivity for legacy IPv6" (i.e. an
   unchanged IPv6 stack should see nothing worse that what
   it sees with old NAT-PT).

But certainly an updated IPv6 stack should see an improvement
on old NAT-PT, and authenticated DNS replies would be an
improvement.

    Brian

References:
- NAT64 and DNSSec
  - From: marcelo bagnulo <marcelo@it.uc3m.es>
- Re: NAT64 and DNSSec
  - From: "George Tsirtsis" <tsirtsis@googlemail.com>
- Re: NAT64 and DNSSec
  - From: marcelo bagnulo <marcelo@it.uc3m.es>

Prev by Date: Re: NAT64 and IPsec support
Next by Date: Re: NAT64 and ICMP
Previous by thread: Re: NAT64 and DNSSec
Next by thread: Re: NAT64 and DNSSec
Index(es):
- Date
- Thread