[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: v6ops-nat64-pb-statement-req: DNSSEC requirement

To: Thomas Narten <narten@us.ibm.com>
Subject: Re: v6ops-nat64-pb-statement-req: DNSSEC requirement
From: marcelo bagnulo braun <marcelo@it.uc3m.es>
Date: Thu, 24 Jul 2008 09:49:11 +0200
Cc: v6ops@ops.ietf.org
In-reply-to: <200807232029.m6NKTPx2004828@cichlid.raleigh.ibm.com>
References: <200807222120.m6MLKAnL010018@cichlid.raleigh.ibm.com> <48873AC0.5090401@it.uc3m.es> <200807232029.m6NKTPx2004828@cichlid.raleigh.ibm.com>
User-agent: Thunderbird 2.0.0.14 (Macintosh/20080421)

Thomas Narten escribió:

marcelo bagnulo braun <marcelo@it.uc3m.es> writes:
if the verification is performed before the synthesis of the RR andthere is a trsut relationship betwen the receiver and the node that hasperformed the verification and synthesis, this should do it.
Well, yes, but there are an awful lot of ifs in the above. Certainly
more than are appropriate for the original MUST requirement.

but what i was describing here is a solution the describe that this ispossible and so it makes sense to keep the requirement

there may be other solutions that also satisfy the requirement,

In particular, if everything happens at the end node, we are in
business, right?  (i.e. the v6 end node asks for the A RR, perfomrs
the dnssec validation and then internally generates the v6 address)


Ahem. If the end node is doing this, why isn't it just doing dual
stack? After all, it (or rather the embedded translator) is sending
out IPv4...

cause the main scenario that we are targeting here is the case where thesource node has no v4 address configured in its stack, so it cannot sendv4 packets.

it is not so trivial for the v4 case though (actually i think it is notpossible for the v4 case, hence the question mark)
In other words, the MUST needs some serious scoping. If it makes
sense at all.

I'm still not sure this requirement is acheivable in practice.

my take is that this is possible to achieve for v6 initiatedcommunications (i.e. when AAAA RR are synthesized)I don't think that it is achievable for v4 initiated communications(i.e. when A RR are synthesized)

I am lately thinking that we need two different lists of requirementsone for v4 initiated communications and another one for v6 initiatedcommunications especially for dealing with dns requirements. In v4initiated communications the state in the nat box has close relationshipwith the RR synthesis, while in v6 initiated communication they arecompletely decoupled, which makes possible to satisfy most of the dnsrequirements.


so, what do you think?

regards, marcelo

 So I'm
not at all sure it is appropriate to make it a MUST, at least not
without a lot more text explaining what is meant.

Thomas

Follow-Ups:
- Re: v6ops-nat64-pb-statement-req: DNSSEC requirement
  - From: Thomas Narten <narten@us.ibm.com>
- Re: v6ops-nat64-pb-statement-req: Scoping and title
  - From: Ed Jankiewicz <edward.jankiewicz@sri.com>

References:
- v6ops-nat64-pb-statement-req: DNSSEC requirement
  - From: Thomas Narten <narten@us.ibm.com>
- Re: v6ops-nat64-pb-statement-req: DNSSEC requirement
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: v6ops-nat64-pb-statement-req: DNSSEC requirement
  - From: Thomas Narten <narten@us.ibm.com>

Prev by Date: Re: New (-02) version of IPv6 CPE Router draft is available for review
Next by Date: Re: New (-02) version of IPv6 CPE Router draft is available for review
Previous by thread: Re: v6ops-nat64-pb-statement-req: DNSSEC requirement
Next by thread: Re: v6ops-nat64-pb-statement-req: Scoping and title
Index(es):
- Date
- Thread