[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT64 and DNSSec
On 26 mrt 2008, at 19:23, marcelo bagnulo wrote:
We have v4 initiated communications and v6 intiiated communications.
In v6 initiated communications, the DNS reply will be recieved by a
v6-only node and will contain a AAAA record. This will be a
synthetic AAAA record containe a v6 address. It is possible that the
v6 address is some for of v4 mapped addresses, so it would be
possible to validate the synthtic AAAA record from the original A
record, (if the v6 prefix is well known)
Right. However, this requires changes on the v6 host.
In v4 initiated communications, we are not so lucky, cause the reply
will be a synthtic A record, contianing a v4 address, that is likely
to be the one of the translator, and has no relation with the
original v6 address.
What kind of solution do you have in mind here?
For v6->v4, the IPv4 address is mapped to IPv6 space locally. I.e., if
you connect to the network elsewhere, you see a different mapping.
This is easy because a 32 bit space fits into a 128 bit space 2^96
times.
However, for v4->v6 there aren't even enough IPv4 address bits to map
the IPv6 space into the IPv4 space _once_, let alone multiple times in
multiple locations. If, on the other hand, we map a subset of the IPv6
space into the IPv4 space once, this mapping is globally unique so it
can be published in the DNS, which means that it can be signed with
DNSSEC.
- Level 2: another option is to include both the EDNS0 tag and also
the original information of the original RR, including the original
address and the signature information. this would allow to verify
the original packet, but then we need to verify the binding between
the original address and the one actually included int eh synthetic
DNS RR. In the case of v6 initiated communications, this is possible
cause the v6 address included in the synthtic record is related to
the original v4 address.
Right, and then a NAT-PT/DNSSEC aware host can perform the DNSSEC
checks and the only thing it has to take on faith are the 96 top bits
in the synthetic response.
These bits could be signed in some way, too, if desired.