headers
Tassos Chatzithomaoglou | 5 Jul 2012 13:52
Picon

DS-Lite & DNS


Hi all,

I'm reading in RFC 6333:

5.5. DNS

 A B4 element is only configured from the service provider with IPv6. As such, it can only learn the address of a DNS recursive server through DHCPv6 (or other similar method over IPv6). As DHCPv6 only defines an option to get the IPv6 address of such a DNS recursive server, the B4 element cannot easily discover the IPv4 address of such a recursive DNS server, and as such will have to perform all DNS resolution over IPv6. The B4 element can pass this IPv6 address to downstream IPv6 nodes, but not to downstream IPv4 nodes. As such, the B4 element SHOULD implement a DNS proxy, following the recommendations of [RFC5625].

6.4. DNS

 As noted previously, a DS-Lite node implementing a B4 element will perform DNS resolution over IPv6. As a result, DNS packets are not expected to go through the AFTR element.
What would be the expected behavior if i configure manually an IPv4 DNS server to a host attached to the CPE?
According to RFC5625:
Except when required to enforce an active security or network policy (such as maintaining a pre-authentication "walled garden"), end-users SHOULD be able to send their DNS queries to specified upstream resolvers, thereby bypassing the proxy altogether. In this case, the gateway SHOULD NOT modify the DNS request or response packets in any way.
Does this mean that the 6.4 statement "DNS packets are not expected to go through the AFTR element." is not always valid?

Also, can draft-ietf-dhc-dhcpv4-over-ipv6 be considered an alternative option for passing IPv4 info to clients over IPv6 in DS-Lite networks?


-- Tassos 
_______________________________________________
v6ops mailing list
v6ops@...
https://www.ietf.org/mailman/listinfo/v6ops
Permalink | Reply |
headers
Arnaud Ongenae | 5 Jul 2012 13:56
Favicon

Re: DS-Lite & DNS

If you configure manually the DNS to use for example OpenDNS or Google, 
you'll go through the tunnel for every DNS request, you'll consume 
several of your udp sessions on the NAT.
It will (must) work. IMHO, this configuration is outside the scope of 
this specification.

Arnaud Ongenae
QA Engineer
IPD - Belgium

On 07/05/2012 01:52 PM, Tassos Chatzithomaoglou wrote:
> Does this mean that the 6.4 statement "DNS packets are not expected to
> go through the AFTR element." is not always valid?
Permalink | Reply |
headers
Wuyts Carl | 5 Jul 2012 14:01
Favicon

Re: DS-Lite & DNS

HI,

 

First of all, assigning DNS info to host behind a CPE doesn’t look a scalable thing/solution to me, although possible of course.

Secondly, I think the issue stated in the RFC is on how to get DNS info to the CPE/hosts, rather than how the message flow is for DNS queries (v4/v6).

With a DNS Proxy, your DNs query, no matter A/AAA or v4/v6 transport, will be sent to the CPE which in its turn can forward it to its available DNS servers (which he potentially can get through different channels like PPP, DHCPv4 and v6, static,  …; for dslite solution it’ll be static or dhcpv6 most likely). 

In your use case, the host knows about the DNS server, so no need to pass the request through the CPE and ask to CPE to handle it, but just route the packet to its destination.  In this case, the question will be: does the CPE has a route to its destination ?  If so (e.g. default route to DSLite tunnel for v4 traffic) the packet will just be routed, if not, packet will be dropped.

 

regs

Carl

From: v6ops-bounces <at> ietf.org [mailto:v6ops-bounces <at> ietf.org] On Behalf Of Tassos Chatzithomaoglou
Sent: donderdag 5 juli 2012 13:52
To: v6ops <at> ietf.org; softwires <at> ietf.org
Subject: [v6ops] DS-Lite & DNS

 


Hi all,

I'm reading in RFC 6333:

5.5.  DNS

 

   A B4 element is only configured from the service provider with IPv6.

   As such, it can only learn the address of a DNS recursive server

   through DHCPv6 (or other similar method over IPv6).  As DHCPv6 only

   defines an option to get the IPv6 address of such a DNS recursive

   server, the B4 element cannot easily discover the IPv4 address of

   such a recursive DNS server, and as such will have to perform all DNS

   resolution over IPv6.

 

   The B4 element can pass this IPv6 address to downstream IPv6 nodes,

   but not to downstream IPv4 nodes.  As such, the B4 element SHOULD

   implement a DNS proxy, following the recommendations of [RFC5625].

 

6.4.  DNS

 

   As noted previously, a DS-Lite node implementing a B4 element will

   perform DNS resolution over IPv6.  As a result, DNS packets are not

   expected to go through the AFTR element.

 


What would be the expected behavior if i configure manually an IPv4 DNS server to a host attached to the CPE?
According to RFC5625:

Except when required to enforce an active security or network policy

   (such as maintaining a pre-authentication "walled garden"), end-users

   SHOULD be able to send their DNS queries to specified upstream

   resolvers, thereby bypassing the proxy altogether.  In this case, the

   gateway SHOULD NOT modify the DNS request or response packets in any

   way.


Does this mean that the 6.4 statement "DNS packets are not expected to go through the AFTR element." is not always valid?

Also, can draft-ietf-dhc-dhcpv4-over-ipv6 be considered an alternative option for passing IPv4 info to clients over IPv6 in DS-Lite networks?



--

Tassos

 

_______________________________________________
v6ops mailing list
v6ops@...
https://www.ietf.org/mailman/listinfo/v6ops
Permalink | Reply |
headers
Tassos Chatzithomaoglou | 5 Jul 2012 15:06
Picon

Re: [v6ops] DS-Lite & DNS

Since i (as an operator) manage the CPE but not the host, i got a little bit worried and confused by the statement "DNS packets are not expected to go through the AFTR element", since the subscriber can easily send such packets.
So my understanding is that this is a supported scenario, but probably not a recommended one.

Wuyts Carl wrote on 05/07/2012 15:01:

HI,

 

First of all, assigning DNS info to host behind a CPE doesn’t look a scalable thing/solution to me, although possible of course.

Secondly, I think the issue stated in the RFC is on how to get DNS info to the CPE/hosts, rather than how the message flow is for DNS queries (v4/v6).

With a DNS Proxy, your DNs query, no matter A/AAA or v4/v6 transport, will be sent to the CPE which in its turn can forward it to its available DNS servers (which he potentially can get through different channels like PPP, DHCPv4 and v6, static,  …; for dslite solution it’ll be static or dhcpv6 most likely). 

In your use case, the host knows about the DNS server, so no need to pass the request through the CPE and ask to CPE to handle it, but just route the packet to its destination.  In this case, the question will be: does the CPE has a route to its destination ?  If so (e.g. default route to DSLite tunnel for v4 traffic) the packet will just be routed, if not, packet will be dropped.

 

regs

Carl

From: v6ops-bounces-EgrivxUAwEY@public.gmane.org [mailto:v6ops-bounces <at> ietf.org] On Behalf Of Tassos Chatzithomaoglou
Sent: donderdag 5 juli 2012 13:52
To: v6ops-EgrivxUAwEY@public.gmane.org; softwires-EgrivxUAwEY@public.gmane.org
Subject: [v6ops] DS-Lite & DNS

 


Hi all,

I'm reading in RFC 6333:

5.5.  DNS

 

   A B4 element is only configured from the service provider with IPv6.

   As such, it can only learn the address of a DNS recursive server

   through DHCPv6 (or other similar method over IPv6).  As DHCPv6 only

   defines an option to get the IPv6 address of such a DNS recursive

   server, the B4 element cannot easily discover the IPv4 address of

   such a recursive DNS server, and as such will have to perform all DNS

   resolution over IPv6.

 

   The B4 element can pass this IPv6 address to downstream IPv6 nodes,

   but not to downstream IPv4 nodes.  As such, the B4 element SHOULD

   implement a DNS proxy, following the recommendations of [RFC5625].

 

6.4.  DNS

 

   As noted previously, a DS-Lite node implementing a B4 element will

   perform DNS resolution over IPv6.  As a result, DNS packets are not

   expected to go through the AFTR element.

 


What would be the expected behavior if i configure manually an IPv4 DNS server to a host attached to the CPE?
According to RFC5625:

Except when required to enforce an active security or network policy

   (such as maintaining a pre-authentication "walled garden"), end-users

   SHOULD be able to send their DNS queries to specified upstream

   resolvers, thereby bypassing the proxy altogether.  In this case, the

   gateway SHOULD NOT modify the DNS request or response packets in any

   way.


Does this mean that the 6.4 statement "DNS packets are not expected to go through the AFTR element." is not always valid?

Also, can draft-ietf-dhc-dhcpv4-over-ipv6 be considered an alternative option for passing IPv4 info to clients over IPv6 in DS-Lite networks?



--

Tassos

 



<div>
    <div class="moz-cite-prefix">Since i (as an operator) manage the CPE
      but not the host, i got a little bit worried and confused by the
      statement "DNS packets are not expected to go through the AFTR
      element", since the subscriber can easily send such packets.<br>
      So my understanding is that this is a supported scenario, but
      probably not a recommended one.<br><br>
      Wuyts Carl wrote on 05/07/2012 15:01:<br>
</div>
    <blockquote cite="mid:867F4B6A1672E541A94676D556793ACD149FA79734@...lti.com" type="cite">
      <div class="WordSection1">
        <p class="MsoNormal"><span>HI,<p></p></span></p>
        <p class="MsoNormal"><span><p>&nbsp;</p></span></p>
        <p class="MsoNormal"><span>First
            of all, assigning DNS info to host behind a CPE doesn&rsquo;t look
            a scalable thing/solution to me, although possible of
            course.<p></p></span></p>
        <p class="MsoNormal"><span>Secondly,
            I think the issue stated in the RFC is on how to get DNS
            info to the CPE/hosts, rather than how the message flow is
            for DNS queries (v4/v6).<p></p></span></p>
        <p class="MsoNormal"><span>With
            a DNS Proxy, your DNs query, no matter A/AAA or v4/v6
            transport, will be sent to the CPE which in its turn can
            forward it to its available DNS servers (which he
            potentially can get through different channels like PPP,
            DHCPv4 and v6, static, &nbsp;&hellip;; for dslite solution it&rsquo;ll be
            static or dhcpv6 most likely).&nbsp; <p></p></span></p>
        <p class="MsoNormal"><span>In
            your use case, the host knows about the DNS server, so no
            need to pass the request through the CPE and ask to CPE to
            handle it, but just route the packet to its destination. &nbsp;In
            this case, the question will be: does the CPE has a route to
            its destination ?&nbsp; If so (e.g. default route to DSLite
            tunnel for v4 traffic) the packet will just be routed, if
            not, packet will be dropped.<p></p></span></p>
        <p class="MsoNormal"><span><p>&nbsp;</p></span></p>
        <p class="MsoNormal"><span>regs<p></p></span></p>
        <p class="MsoNormal"><span>Carl<p></p></span></p>
        <div>
          <div>
            <p class="MsoNormal"><span>From:</span><span>
                <a class="moz-txt-link-abbreviated" href="mailto:v6ops-bounces@...">v6ops-bounces@...</a> [<a class="moz-txt-link-freetext" href="mailto:v6ops-bounces@...">mailto:v6ops-bounces <at> ietf.org</a>] On
                  Behalf Of Tassos Chatzithomaoglou<br>Sent: donderdag 5 juli 2012 13:52<br>To: <a class="moz-txt-link-abbreviated" href="mailto:v6ops@...">v6ops@...</a>; <a class="moz-txt-link-abbreviated" href="mailto:softwires@...">softwires@...</a><br>Subject: [v6ops] DS-Lite &amp; DNS<p></p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><p>&nbsp;</p></p>
        <p class="MsoNormal"><span><br>Hi all,<br><br>I'm reading in RFC 6333:</span><p></p></p>
        <h3>
<a moz-do-not-send="true" name="section-5.5"></a><a moz-do-not-send="true" href="http://tools.ietf.org/html/rfc6333#section-5.5"><span>5.5</span></a><span>.&nbsp; DNS<p></p></span>
</h3>
        <p>&nbsp;</p>
        &nbsp;&nbsp; A B4 element is only configured from the service provider with IPv6.<p></p>
        &nbsp;&nbsp; As such, it can only learn the address of a DNS recursive server<p></p>
        &nbsp;&nbsp; through DHCPv6 (or other similar method over IPv6).&nbsp; As DHCPv6 only<p></p>
        &nbsp;&nbsp; defines an option to get the IPv6 address of such a DNS recursive<p></p>
        &nbsp;&nbsp; server, the B4 element cannot easily discover the IPv4 address of<p></p>
        &nbsp;&nbsp; such a recursive DNS server, and as such will have to perform all DNS<p></p>
        &nbsp;&nbsp; resolution over IPv6.<p></p>
        <p>&nbsp;</p>
        &nbsp;&nbsp; The B4 element can pass this IPv6 address to downstream IPv6 nodes,<p></p>
        &nbsp;&nbsp; but not to downstream IPv4 nodes.&nbsp; As such, the B4 element SHOULD<p></p>
        &nbsp;&nbsp; implement a DNS proxy, following the recommendations of [<a moz-do-not-send="true" href="http://tools.ietf.org/html/rfc5625" title='"DNS Proxy Implementation Guidelines"'>RFC5625</a>].<p></p>
        <p>&nbsp;</p>
        <h3>
<a moz-do-not-send="true" name="section-6.4"></a><a moz-do-not-send="true" href="http://tools.ietf.org/html/rfc6333#section-6.4"><span>6.4</span></a><span>.&nbsp; DNS<p></p></span>
</h3>
        <p>&nbsp;</p>
        &nbsp;&nbsp; As noted previously, a DS-Lite node implementing a B4 element will<p></p>
        &nbsp;&nbsp; perform DNS resolution over IPv6.&nbsp; As a result, DNS packets are not<p></p>
        &nbsp;&nbsp; expected to go through the AFTR element.<p></p>
        <p>&nbsp;</p>
        <p class="MsoNormal"><br><span>What would be the expected
              behavior if i configure manually an IPv4 DNS server to a
              host attached to the CPE?</span><span><br>According to RFC5625:</span><p></p></p>
        Except when required to enforce an active security or network policy<p></p>
        &nbsp;&nbsp; (such as maintaining a pre-authentication "walled garden"), end-users<p></p>
        &nbsp;&nbsp; SHOULD be able to send their DNS queries to specified upstream<p></p>
        &nbsp;&nbsp; resolvers, thereby bypassing the proxy altogether.&nbsp; In this case, the<p></p>
        &nbsp;&nbsp; gateway SHOULD NOT modify the DNS request or response packets in any<p></p>
        &nbsp;&nbsp; way.<p></p>
        <p class="MsoNormal"><span><br>Does this mean that the 6.4 statement "DNS packets are
              not expected to go through the AFTR element." is not
              always valid?<br><br>Also, can draft-ietf-dhc-dhcpv4-over-ipv6 be considered
              an alternative option for passing IPv4 info to clients
              over IPv6 in DS-Lite networks?<br><br><br><br></span><p></p></p>
        --<p></p>
        Tassos<p></p>
        <p>&nbsp;</p>
      </div>
    </blockquote>
    <br><br>
</div>
Permalink | Reply |
headers
Lee, Yiu | 5 Jul 2012 18:26
Picon

Re: [Softwires] DS-Lite & DNS

Since the DNS server at home only manages its own dns-domain, the dns-server should still use the CPE's IP for external dns query. If user decides not to use the CPE's IP, all dns packets would use the tunnel. If an operator wants to block this, in theory this will require implementing ACL to block dns in AFTR. In practice, this would probably make the user very unhappy.

Draft-ietf-dns-dhcpv4-over-ipv6 addresses a different use case. This will be used when the CPE will be provisioned with a full public IPv4 address (i.e. No NAT in the AFTR).


From: Tassos Chatzithomaoglou <achatz-1qjEjX/Lvz1pxd+mj9Ai3A@public.gmane.org>
Organization: Forthnet
Date: Thursday, July 5, 2012 9:06 AM
To: Wuyts Carl <Carl.Wuyts <at> technicolor.com>
Cc: "softwires-EgrivxUAwEY@public.gmane.org" <softwires-EgrivxUAwEY@public.gmane.org>, "v6ops-EgrivxUAwEY@public.gmane.org" <v6ops-EgrivxUAwEY@public.gmane.org>
Subject: Re: [Softwires] [v6ops] DS-Lite & DNS

Since i (as an operator) manage the CPE but not the host, i got a little bit worried and confused by the statement "DNS packets are not expected to go through the AFTR element", since the subscriber can easily send such packets.
So my understanding is that this is a supported scenario, but probably not a recommended one.


Also, can draft-ietf-dhc-dhcpv4-over-ipv6 be considered an alternative option for passing IPv4 info to clients over IPv6 in DS-Lite networks?
Attachment (smime.p7s): application/pkcs7-signature, 5531 bytes
_______________________________________________
v6ops mailing list
v6ops@...
https://www.ietf.org/mailman/listinfo/v6ops
Permalink | Reply |

Gmane