[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SIIT/NAT64 is similar to RSIP



>> 	i do not really think it a major advantage.
>> 	if you can use "AD is secure" proposal and let NAT-PT box to validate
>> 	DNSsec signature, we can get the same effect with NAT-PT.
>Using "AD is secure" add extra complexity.

	then why is "AD is secure" proposed?  it is to avoid implementing
	complex crypto operations in every resolver implementation.

>Another big issue with NAT-PT: you can not use it
>to enable an Ipv6-only resolver to query data from
>an Ipv4 only DNS server... (in the general issue to make
>DNS interoperate smoothly between IPv4 & IPv6 only worlds)

	as long as DNS-ALG is IPv4/v6 dual stack, it should be okay.

>Also, as i explain earlier, NAT64 scales better.

	with NAT-PT you can do the same, with multiple DNS-ALG returning
	different address prefixes. (it is documented in TRT RFC)

>> 	one big disadbantage: abuses IPv4 mapped address.
>you still haven't convince me about the severity of those problems.
>I think I made clear today that those issues can be addressed.

	i disagree, this is not just a firewall issue.  it affects end nodes
	and applications.  and it is impractical to ask every applications to
	implement IN6_IS_ADDR_V4MAPPED() goofs.

itojun