Private Network Access breaks NAT64

WICG / private-network-access

https://wicg.github.io/private-network-access/

Other

55 stars 22 forks source link

Private Network Access breaks NAT64 #50

Closed DavidSchinazi closed 3 years ago

DavidSchinazi commented 3 years ago

NAT64 and DNS64 (see RFC 6146 and RFC 6147) are widely deployed mechanisms that allows network operators to only provide IPv6 capabilities to end devices while still allowing them to access the IPv4 Internet. For example, they are used by T-Mobile in the United States and many other cellular carriers worldwide. The way they work is by translating specific IPv6 addresses to IPv4 addresses. The network operator can choose to deploy them with a custom prefix of their choosing, or they can use the prefix 64:ff9b:1::/48 which has been reserved with IANA. The current Private Network Access specification states:

If address belongs to an address block for which the Globally Reachable bit is set to False in the relevant IANA registry, then return private.

This would prevent the Web from accessing the IPv4 Internet using this prefix, because that prefix is marked as not Globally Reachable.

DavidSchinazi commented 3 years ago

More generally, I think that using the Globally Reachable bit will lead to issues as it wasn't meant for this purpose. I would suggest reducing the scope of this proposal to IP address ranges that are most commonly used such as RFC 1918 space.

sleevi commented 3 years ago

See also #47 , #48 , #36 , and more relevant to where this text came from: #30

@DavidSchinazi Could you explain your concern further? The issue is not what the client's IP is, but what it resolves the service to. Are you saying that in order for NAT64 to succeed, it must bypass all DNS security (both DNSSEC and the fact of "authoritative DNS")? The client having a NAT64 address doesn't create issues here.

DavidSchinazi commented 3 years ago

@sleevi I'm referring to the server's address received in the AAAA record for "server.example.org". That's the one that can land in 64:ff9b:1::/48. I'm not referring to the client's address.

Yes, DNS64 breaks DNSSEC (and always has). I might have helped write some text about it :)

letitz commented 3 years ago

That's unfortunate. We can certainly rethink the use of the IANA registry for this. It had the nice property of being self-updating wrt additions to the registry, but if the globally-reachable bit fails to approximate our needs then it might do more harm than good.

Here's an attempt to define a more conservative classification (largely reverting to the state pre-#30):

IPv6:

::1/128 - loopback: local
::ffff:0:0/96 - IPv4-mapped Address: see mapped IPv4 address
fc00::/7 - Unique-Local: private
fe80::/10 - Link-local unicast: private

IPv4:

10.0.0.0/8 - Private use: private
127.0.0.0/8 - loopback: local
169.254.0.0/16 - link-local: private
172.16.0.0/12 - Private use: private
192.168.0.0/16 - Private use: private

All IP addresses that do not belong to one of the above subnets are public.

How does that sound?

DavidSchinazi commented 3 years ago

I think that you've found the right balance, this should provide almost equal security while significantly lowering the risk of breakage.

annevk commented 3 years ago

Let's add a note when this is fixed/reverted as to why "Globally Reachable" is not used.