[AusNOG] Telstra IPv6 Wireless Enablement - IPv6 Single Stack

Mark Andrews marka at isc.org
Fri Feb 7 10:38:38 EST 2020 

The real problem is everyone that thinks “I can wait to deploy IPv6”, “IPv6 is not my problem, I have more than enough IPv4 addresses for my future needs”.  Guess what it doesn’t matter how many IPv4 address you have if the other person doesn’t have enough.  This is Telstra saying to the world.  We don’t have enough IPv4 address.  We are going to have to deploy a CRAPPY transition mechanism to talk to the laggards in the world who haven’t deployed IPv6.

No one deploys DNS64 and NAT64 because they want to.  They deploy it because they have to.  It works if everything follows the model network it was designed to be used in.  Step outside that network model and it breaks badly.

If we where a smart country, *every* ISP in the country would be offering IPv6 to *every* customer today.
If we where a smart country, *every* business would be using IPv6 to talk to their customers.
If we where a smart country, there would be a ban on selling new IPv4-only equipment.

Mark

> On 7 Feb 2020, at 06:52, Pete Mundy <pete at fiberphone.co.nz> wrote:
> 
> 
> Bugger! And what to do then when the user looses control over what they're using... Ie the shift of DNS out of the local-admin's (and even OS') control and directly into the apps, via DoH and QUIC ([1]).
> 
> What a dog's breakfast :(
> 
> Pete
> 
> [1] https://youtu.be/4xGxotBk8AM?t=8727
> 
> 
>> On 6/02/2020, at 6:28 PM, Mark Andrews <marka at isc.org> wrote:
>> 
>> Telstra need to be at least intercepting queries for ipv4only.arpa/AAAA to allow CLATs to discover the NAT64 prefix.
>> 
>> Note that doesn’t work if you are using DoH, DoT, TSIG or any other cryptographic mechanism to protect your DNS queries.  It also doesn’t work if you are using DNSSEC to verify the answers as IANA decided to sign ipv4only.arpa.
>> 
>>> On 6 Feb 2020, at 16:03, Peter Tonoli <peter+ausnog at metaverse.org> wrote:
>>> Is there a higher chance of brokenness when users choose to use other DNS services (i.e. Cloudflare / DoH), apart from Telstra, due to the lack of WKP in the response from those providers?
>>> 
>>> On 6/2/20 3:27 pm, Russell Langton wrote:
>>>> - If Alice is connecting to a website with only a A DNS record, our DNS will spoof the website address with a Well Known Prefix (WKP) so it routes to the NAT64 gateway 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the AusNOG mailing list