[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RRG] Mitigating the Downsides of NAT'ing

To: David Conrad <drc@virtualized.org>
Subject: Re: [RRG] Mitigating the Downsides of NAT'ing
From: Matthijs Mekking <matthijs@NLnetLabs.nl>
Date: Thu, 27 Mar 2008 15:08:51 +0100
Cc: rrg@psg.com, Christian Vogt <christian.vogt@nomadiclab.com>
In-reply-to: <D96B444E-D35F-4AD4-86EE-2A8332EFAE4A@virtualized.org>
References: <2FB7CD40-0DAB-498E-8B55-965BD7762786@nomadiclab.com> <47E8D026.5080709@nlnetlabs.nl> <D96B444E-D35F-4AD4-86EE-2A8332EFAE4A@virtualized.org>
User-agent: Thunderbird 2.0.0.12 (X11/20080227)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi David,

comments in between.

David Conrad wrote:
> Matthijs,
> 
> On Mar 25, 2008, at 3:12 AM, Matthijs Mekking wrote:
>>>     (1a)  Both edge and transit addresses are returned in standard
>>>           A/AAAA records, and extra (newly defined) "E/EEEE" records
>>>           indicate which ones are edge addresses.  The DNS proxy
>>>           forwards only the A/AAAA records that include edge
>>>           addresses to the resolver.  This is compatible with DNSSEC
>>>           because forwarded records are unchanged.
>>
>> This will actually break the DNSSEC. If I'm correct, signatures are
>> generated over the whole RRset, and if you only forward a part of the
>> RRset, the validation will fail.
> 
> An RRset is defined (in RFC 2181) to be all records of the same label,
> class, and type.  The E/EEEE records would be of a different type and
> thus would be outside of the A/AAAA RRset over which the signature would
> be generated.  

Correct, but this doesn't address my concern. Suppose the resolver
queries for AAAA records. The Six/One proxy will then query the DNS for
AAAA and EEEE records. It receives both RRsets. It checks the signature
for the AAAA RRset and the signature for the EEEE RRset. So far so good.
Now it checks which AAAA record holds the identifier, by comparing the
AAAA set with the EEEE set. It only forwards to the resolver the AAAA
records that holds identifiers, not the AAAA records that holds
locators. The resolver cannot validate the signature for the AAAA set,
since not all AAAA records were provided to him (only the one holding
identifiers).

> Of course there would be no verifiable binding between
> the two (not sure that matters).

I think if you trust the authoritative nameserver, the signatures will
be sufficient.

Regards,

Matthijs Mekking
matthijs@nlnetlabs.nl
Foundation NLnet Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH66pzIXqNzxRs6egRAtGxAJ9jUIWmGS+t+lQAkOvLdYN+XApuPQCdEniu
QXbs7+RH8jYp327/0BYlkYw=
=e7XG
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg

References:
- [RRG] Mitigating the Downsides of NAT'ing
  - From: Christian Vogt <christian.vogt@nomadiclab.com>
- Re: [RRG] Mitigating the Downsides of NAT'ing
  - From: Matthijs Mekking <matthijs@NLnetLabs.nl>
- Re: [RRG] Mitigating the Downsides of NAT'ing
  - From: David Conrad <drc@virtualized.org>

Prev by Date: re: [RRG] map change due to a path failure?
Next by Date: Re: [RRG] On "jack-down" models
Previous by thread: Re: [RRG] Mitigating the Downsides of NAT'ing
Next by thread: [RRG] Concerns about the RRG process ... & how not to design an airliner
Index(es):
- Date
- Thread