[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: about Iljitsch's (M)NAT-PT
On 2008-03-15 03:20, Francis Dupont wrote:
> I'd like to see, in security considerations for instance, an analysis
> of the DNS ALG over deployment of DNSSEC.
> Please note:
> - this applies to all proposals with a DNS ALG (so it is not directed
> against Iljitsch's one :-)
> - DNS is a bit more complex than just asking for an A or AAAA RR. For
> instance what is the impact of the DNS ALG over a DNSSEC capable server
> placed at the bad side (i.e., behind the NAT).
Just to point out as Iljitsch's co-author that the draft says
of DNS-ALG
"Although discouraged, this mechanism MAY still be used."
and actually recommends an alternative:
"IPv6 hosts that
want to communicate with IPv4 hosts SHOULD look up the A records
themselves, obtaining a(y), and create a synthetic IPv6 destination
address by concatenating a particular /96 prefix and the bits of
a(y). The resulting IPv6 address A(t) will cause the packet to be
delivered to the relevant MNAT-PT."
I agree that the DSN ALG/DNSSEC interaction needs to be described.
The worst case is that authentication failures have to be ignored...
Brian