[OpenWrt-Devel] support of IETF v6ops draft draft-ietf-v6ops-464xlat-optimization

Bjørn Mork bjorn at mork.no
Mon Feb 3 03:59:06 EST 2020

JORDI PALET MARTINEZ via openwrt-devel <openwrt-devel at lists.openwrt.org>

> We are working in a possible optimization to 464XLAT, in order to
> support old IPv4-only devices such as SmartTVs, STBs, etc., with
> 464XLAT, avoiding double translation (CLAT and PLAT) when the contents
> are already dual-stacked in the CDN/caches.
> The document has recently been accepted as v6ops WG item:
> https://datatracker.ietf.org/doc/draft-ietf-v6ops-464xlat-optimization/?include_text=1
> I suggest, in addition to read the intro, possible optimization and
> problem statement (sections 1, 3, 4), to concentrate in the section
> 5.2, as it seems the best approach, as it doesn't need any change in
> the operators neither CDNs/caches, infrastructures. Only requires an
> internal CPE "coordination" between the CLAT/NAT and the DNS proxy.

Hello Jordi!

This does look like an interesting approach.  But I do worry about the
lack of "Security Considerations"...

IIUC, you are adding IPv4 <=> IPv6 protocol translation rules dynamically
based on forward DNS names having both A and AAAA records.  This sounds
very risky to me. There is no way to validate the association between
the A and AAAA records.  All you need to do to redirect traffic destined
for to your evil MITM server at 2001:db8::42 is to create a
FQDN with both addresses and provoke a client to look up that name.  You
have now added a rule mapping to 2001:db8::42.

Dynamic mappings seems impossible to me without some way to validate
that two address records belong to the same entity.  This is hard


openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list