[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: on NAT-PT

To: itojun@iijlab.net
Subject: Re: on NAT-PT
From: Erik Nordmark <Erik.Nordmark@sun.com>
Date: Mon, 20 Jan 2003 00:59:40 +0100 (CET)
Cc: Alain Durand <Alain.Durand@sun.com>, v6ops@ops.ietf.org
In-reply-to: "Your message with ID" <20030104020047.BFA3F4B23@coconut.itojun.org>
Reply-to: Erik Nordmark <Erik.Nordmark@sun.com>

> 	you are generalizing it too much by saying "in IPv6 networks" - what
> 	i'm suggesting is to use "AD is secure" for NAT-PT, that's all.
> 	it doesn't have to be imposed for all IPv6 networks.

Suppose I have a host that doesn't want to trust "AD is secure".
This might be because I'm only wanting to trust it when talking to
my trusted "home" resolver.
Suppose I visit a place which provides nice IPv6 functionality using NAT-PT.
Can my box validate the DNSSEC signatures itself?

As far as I understand it can't, since it doesn't know which AAAA records
have been made up by the DNS ALG in the NAT-PT box.

Reading draft-ietf-dnsext-dns-threats-02.txt makes me believe this would
be unacceptable.

Oh - and I think DNSSEC will be deployed in our lifetime, just like
I think IPv6 will be deployed in our lifetime. But are likely to happen over
the next 5-10 years.

  Erik

Prev by Date: Re: on NAT-PT
Next by Date: RE: on NAT-PT
Previous by thread: Re: on NAT-PT
Next by thread: RE: on NAT-PT
Index(es):
- Date
- Thread