[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: about Iljitsch's (M)NAT-PT



On 2008-03-15 03:20, Francis Dupont wrote:
> I'd like to see, in security considerations for instance, an analysis
> of the DNS ALG over deployment of DNSSEC.
> Please note:
>  - this applies to all proposals with a DNS ALG (so it is not directed
>   against Iljitsch's one :-)
>  - DNS is a bit more complex than just asking for an A or AAAA RR. For
>   instance what is the impact of the DNS ALG over a DNSSEC capable server
>   placed at the bad side (i.e., behind the NAT).

Just to point out as Iljitsch's co-author that the draft says
of DNS-ALG

  "Although discouraged, this mechanism MAY still be used."

and actually recommends an alternative:

  "IPv6 hosts that
   want to communicate with IPv4 hosts SHOULD look up the A records
   themselves, obtaining a(y), and create a synthetic IPv6 destination
   address by concatenating a particular /96 prefix and the bits of
   a(y).  The resulting IPv6 address A(t) will cause the packet to be
   delivered to the relevant MNAT-PT."

I agree that the DSN ALG/DNSSEC interaction needs to be described.
The worst case is that authentication failures have to be ignored...

    Brian