[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: v6ops-nat64-pb-statement-req: DNSSEC requirement
marcelo bagnulo braun <marcelo@it.uc3m.es> writes:
> Thomas Narten escribió:
> > marcelo bagnulo braun <marcelo@it.uc3m.es> writes:
> >
> >
> >> if the verification is performed before the synthesis of the RR and
> >> there is a trsut relationship betwen the receiver and the node that has
> >> performed the verification and synthesis, this should do it.
> >>
> >
> > Well, yes, but there are an awful lot of ifs in the above. Certainly
> > more than are appropriate for the original MUST requirement.
> >
> >
> but what i was describing here is a solution the describe that this is
> possible and so it makes sense to keep the requirement
> there may be other solutions that also satisfy the requirement,
Sorry, but no. if you have a simple MUST as a requirement, you can't
have the solution involve a bunch of ifs that will not be true in
general, and/or that change the meaning of meeting the requirement.
DNSSEC is about e2e security. The recipient of the data (the DNS
querier), using DNSSEC, is able to verify that the data has not been
modified. This is no longer true in the solution outline you proposed
above.
Hence, the requirement needs to significantly expanded upon and/or
clarified. Otherwise, people will assume it means X, when others
assume it actually means Y.
> >> In particular, if everything happens at the end node, we are in
> >> business, right? (i.e. the v6 end node asks for the A RR, perfomrs
> >> the dnssec validation and then internally generates the v6 address)
> >>
> >
> > Ahem. If the end node is doing this, why isn't it just doing dual
> > stack? After all, it (or rather the embedded translator) is sending
> > out IPv4...
> >
> cause the main scenario that we are targeting here is the case where the
> source node has no v4 address configured in its stack, so it cannot send
> v4 packets.
What exactly is the difference between a node that has no IPv4 address
configured (so that it can not just use dual stack) and that same node
with an embedded translator attached to it that does send out IPv4
(after translation - and hence, has to have an IPv4 address
configured)? From what I can see, in both cases the node has an IPv4
addresss and the directly attached network is IPv4 enabled. In that
case, dual-stack seems like the obvious thing to use. I certainly
wouldn't think a translater is needed here...
> I am lately thinking that we need two different lists of requirements
> one for v4 initiated communications and another one for v6 initiated
> communications especially for dealing with dns requirements. In v4
> initiated communications the state in the nat box has close relationship
> with the RR synthesis, while in v6 initiated communication they are
> completely decoupled, which makes possible to satisfy most of the dns
> requirements.
If the requirements are different in the two directions, then yes, two
separate requirments are needed. You can't have a general requirement
(that implicitely implies a solution in both directions) when a
solution in one direction can't be made to work.
Thomas