[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT64 and DNSSec



On 26 mrt 2008, at 19:23, marcelo bagnulo wrote:

We have v4 initiated communications and v6 intiiated communications.
In v6 initiated communications, the DNS reply will be recieved by a v6-only node and will contain a AAAA record. This will be a synthetic AAAA record containe a v6 address. It is possible that the v6 address is some for of v4 mapped addresses, so it would be possible to validate the synthtic AAAA record from the original A record, (if the v6 prefix is well known)

Right. However, this requires changes on the v6 host.

In v4 initiated communications, we are not so lucky, cause the reply will be a synthtic A record, contianing a v4 address, that is likely to be the one of the translator, and has no relation with the original v6 address.

What kind of solution do you have in mind here?

For v6->v4, the IPv4 address is mapped to IPv6 space locally. I.e., if you connect to the network elsewhere, you see a different mapping. This is easy because a 32 bit space fits into a 128 bit space 2^96 times.

However, for v4->v6 there aren't even enough IPv4 address bits to map the IPv6 space into the IPv4 space _once_, let alone multiple times in multiple locations. If, on the other hand, we map a subset of the IPv6 space into the IPv4 space once, this mapping is globally unique so it can be published in the DNS, which means that it can be signed with DNSSEC.

- Level 2: another option is to include both the EDNS0 tag and also the original information of the original RR, including the original address and the signature information. this would allow to verify the original packet, but then we need to verify the binding between the original address and the one actually included int eh synthetic DNS RR. In the case of v6 initiated communications, this is possible cause the v6 address included in the synthtic record is related to the original v4 address.

Right, and then a NAT-PT/DNSSEC aware host can perform the DNSSEC checks and the only thing it has to take on faith are the 96 top bits in the synthetic response.

These bits could be signed in some way, too, if desired.