[OpenWrt-Devel] support of IETF v6ops draft draft-ietf-v6ops-464xlat-optimization
bjorn at mork.no
Mon Feb 3 03:59:06 EST 2020
JORDI PALET MARTINEZ via openwrt-devel <openwrt-devel at lists.openwrt.org>
> We are working in a possible optimization to 464XLAT, in order to
> support old IPv4-only devices such as SmartTVs, STBs, etc., with
> 464XLAT, avoiding double translation (CLAT and PLAT) when the contents
> are already dual-stacked in the CDN/caches.
> The document has recently been accepted as v6ops WG item:
> I suggest, in addition to read the intro, possible optimization and
> problem statement (sections 1, 3, 4), to concentrate in the section
> 5.2, as it seems the best approach, as it doesn't need any change in
> the operators neither CDNs/caches, infrastructures. Only requires an
> internal CPE "coordination" between the CLAT/NAT and the DNS proxy.
This does look like an interesting approach. But I do worry about the
lack of "Security Considerations"...
IIUC, you are adding IPv4 <=> IPv6 protocol translation rules dynamically
based on forward DNS names having both A and AAAA records. This sounds
very risky to me. There is no way to validate the association between
the A and AAAA records. All you need to do to redirect traffic destined
for 192.0.2.42 to your evil MITM server at 2001:db8::42 is to create a
FQDN with both addresses and provoke a client to look up that name. You
have now added a rule mapping 192.0.2.42 to 2001:db8::42.
Dynamic mappings seems impossible to me without some way to validate
that two address records belong to the same entity. This is hard
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel