Re: NAT64 and DNSSec

[marcelo bagnulo <marcelo@it.uc3m.es>]

Hi Iljitsch,

Iljitsch van Beijnum escribió:
> On 26 mrt 2008, at 19:23, marcelo bagnulo wrote:
>
> > We have v4 initiated communications and v6 intiiated communications.
> > In v6 initiated communications, the DNS reply will be recieved by a 
> > v6-only node and will contain a AAAA record. This will be a synthetic 
> > AAAA record containe a v6 address. It is possible that the v6 address 
> > is some for of v4 mapped addresses, so it would be possible to 
> > validate the synthtic AAAA record from the original A record, (if the 
> > v6 prefix is well known)
>
> Right. However, this requires changes on the v6 host.
this is an intersting point imho.
Here, a legacy IPv6 hosts without no specific changes would be able to 
process this, but it would lack of security features. However and 
upgraded ipv6 host would be able to perform the verification

So, this seems a good tradeoff, cause it works for legacy hosts (withotu 
security) but iut enables the secure options, if hosts upgrade to 
support it.

so, this could be a good requirement, that i think it is on the lines of 
the current document:
- The (DNS) mechanism should work for legacy hosts
- Upgraded hosts must be able to perform DNSSec validation and make it work.

It seems that this is possible for v6 hosts, would it be possible for v4 
hosts?



> > In v4 initiated communications, we are not so lucky, cause the reply 
> > will be a synthtic A record, contianing a v4 address, that is likely 
> > to be the one of the translator, and has no relation with the 
> > original v6 address.
>
> What kind of solution do you have in mind here?
>
> For v6->v4, the IPv4 address is mapped to IPv6 space locally. 
what do you mean by locally?

> I.e., if you connect to the network elsewhere, you see a different 
> mapping. This is easy because a 32 bit space fits into a 128 bit space 
> 2^96 times.
>
> However, for v4->v6 there aren't even enough IPv4 address bits to map 
> the IPv6 space into the IPv4 space _once_, let alone multiple times in 
> multiple locations. If, on the other hand, we map a subset of the IPv6 
> space into the IPv4 space once, this mapping is globally unique so it 
> can be published in the DNS, which means that it can be signed with 
> DNSSEC.
i don't have a preference here, but i am nore focused in the 
requirements that we can impose right now.
Do you think it would be possible to impose any form of requirement for 
using DNSSec in the v4 host?

> > - Level 2: another option is to include both the EDNS0 tag and also 
> > the original information of the original RR, including the original 
> > address and the signature information. this would allow to verify the 
> > original packet, but then we need to verify the binding between the 
> > original address and the one actually included int eh synthetic DNS 
> > RR. In the case of v6 initiated communications, this is possible 
> > cause the v6 address included in the synthtic record is related to 
> > the original v4 address.
>
> Right, and then a NAT-PT/DNSSEC aware host can perform the DNSSEC 
> checks and the only thing it has to take on faith are the 96 top bits 
> in the synthetic response.
>
> These bits could be signed in some way, too, if desired.
righ, but i fail to see if it would be possible to do it in the v4 world

Regards, marcelo