Re: on NAT-PT

[Alain Durand <Alain.Durand@Sun.COM>]

itojun@iijlab.net wrote:

> > > 	the failure mode with your proposal is a disaster.  what happens if
> > > 	your site do not provide IPv6-to-IPv4 translation with the hardcoded
> > > 	prefix?  your IPv6-only machine will try to connect to non-existent
> > > 	prefix, and the packet will travel to somewhere unknown.
> > >      
> > This prefix would have to be non globally routable
> > and should be filtered out at site boundary to avoid this issue.
> > This is not something catastrophic.
> > Actually, this is very similar to what you, Dave Thaler and I are proposing
> > for DNS stub resolver configuration.
> >    
> 	with DNS stub resolver configuration, only DNS resolver will be
> 	affected. 
And all application that rely on DNS... regardless of the destination.

> what you are proposing here will affect every application
> 	that use DNS resolver (since the DNS resolver attaches magic prefix
> 	to all the responsees from DNS).  there's big difference.
It only affecst v6-only applications on v6-only nodes that
want to sent packet to v4-only nodes. Regular communication
with IPv6 hosts is not affected.

> > > 	and with your plan, it seems that you are planning to reuse the same
> > > 	prefix in multiple locations (at least in different sites, and could be
> > > 	multiple locations within a site).  it will lead to unstable
> > > 	translation service as routing to the hardcoded prefix can flap and
> > > 	the packet to hardcoded prefix can reach a different translation box,
> > > 	the other translation box does not have the state info for the
> > > 	traffic, and the connection will be killed.
> > >      
> > Yes, but the next one will succeed. I think of this as a good property,
> > as in case of failure, not everything is lost, just current connections.
> >    
> 	what is the "next one" in your text above?  i was not talking about
> 	a connection attempt, but an existing TCP connection suddenly shut down
> 	by routing changes.
I think we are concerned about different things.
You express concerns about maintening an existing connection
in the event of a NAT box failure,
I'm concerned about mainteting 'usability of the Internet'
in the event of this failure. Many connections in the Internet
are short lived or can be easily restarted.
Example: in typical Web browsing usage, connections are very short.
To load a particular page, usually there are several connections
happening under the hood. If one fails, that's no big deal,
maibe a picture or an icon will not display and the user
will do 'refresh'. If we can make sure that when
the user does 'refresh', this new connection actually
works, I think we would have achieved a reasonable
level of reliability.

> > > 	DNS-ALG box and NAT-PT translation box are separate.  each of the
> > > 	NAT-PT translation box T1, T2, ... Tn are configured with certain
> > > 	(seaprate) IPv6 prefixes for each, P1, P2, .. Pn.  DNS-ALG box
> > > 	monitors which NAT-PT translation boxes are alive.  DNS-ALG will return
> > > 	fabricated AAAA response (for actual A response from the outside DNS
> > > 	authoritative server) using prefix Pi, when Ti is alive (it does not
> > > 	return AAAA with Pj if Tj is dead).
> > >      
> > So what happens if a host has started a communication using Pi/Ti
> > and Ti goes down? The communication dies and each subsequent
> > communications to the same destination fail until the DNS
> > cache on the host is flushed. This is a much worse failure mode
> > than the one discussed above.
> >    
> 	yes, if Ti goes down, connections that went through Ti will go down.
> 	however, many of the host resolver implementation do not cache DNS
> 	responses (luckily for translators, unluckily for DNS), so the next
> 	connection attempt will use something other than Ti.
This is not true for every implementation. In particular, ours does cache.
I do not think it is a good think to build a protocol based on the 
assumption
that DNS stub resolvers are stupid and do not cache.

> 	if you attack NAT-PT on this point, your proposal must have no state
> 	at all in your translation boxes.
I disagree. Re-read my paragraph about web browsing.
Stateless is always better, but if we need to introduce state,
we have to make sure that we mimimalized the impact in
case of problem.

NAT-PT DNS-alg as you describe introduces state
in the stub resolver on a per-name resolution basis.
Even if the stun resolver does not cache, the application
that ask for the resolution may very well do.

Using a well know prefix (a la NAT64, but not necessarily ::ffff:0:0)
put state in the NAT box on a per-connection basis.
If the box fails, current connections are trashed, but new
ones can be routed to a new box.


> > Also very bad, this breaks DNSsec.
> >    
> 	(i think i have repeated this too many times)
I repeat it because it is true.

> 	when you rely on intermediate device which rewrites your packet,
> 	what kind of protection do DNSsec really provide? 
Using NAT-PT DNS ALG, the node does not know it is using
NAT, so it cannot differentiate DNSsec does not work because
I'm behind NAT-PT from DNSsec tells me something fishy
happened. Remember, DNSsec will still work fine for 'regular'
IPv6 name to address translation for regular IPv6 addresses.

> and when you
> 	fabricate address by attaching some hardcoded prefix onto the value
> 	returned from DNSsec?
DNSsec signature can still be checked in the stub resolver
before the wkn prefix is attached.

> 	with the lack of deployment of DNSsec, and the likelihood of
> 	deployment is so low, i don't think your popular claim "it breaks
> 	DNSsec" is realistic.
>  
How can you make such a public statement! How can you say publically
we are deploying IPv6 and do not care about DNSsec!
This makes no sense to me...

   - Alain.