[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT64 and DNSSec
On 2008-03-29 05:44, marcelo bagnulo wrote:
> Hi George,
>
>
> George Tsirtsis escribió:
>> Hi Marcelo,
>>
>> I think it is important to decide up front on whether NAT64 will
>> require specific behavior from the IPv6-only nodes behind it or not.
>> v4NATs have proliferated because they are (almost) invisible to IPv4
>> nodes behind them.
>>
>>
>
> as currently defined the requirements allow modifications in the v6 side
>
> (My personal opinion, is that a good mechanism should work with legacy
> (v4 and v6) hosts but it would benefit from additional features if the
> host is upgraded. For instance, DNSSec validation. For a legacy host it
> is not possible, but the mechanism should allow that if the host is
> updated, then it can restore the lost fucntionality.
I think we should aim for the "first, do no harm" principle
which indeed means
1. "no impact worse than NAT44" for the IPv4 host (i.e. no
changes needed in the IPv4 host stack, but contortions
like STUN and ICE may be needed).
2. "no loss of connectivity for legacy IPv6" (i.e. an
unchanged IPv6 stack should see nothing worse that what
it sees with old NAT-PT).
But certainly an updated IPv6 stack should see an improvement
on old NAT-PT, and authenticated DNS replies would be an
improvement.
Brian