--- 1/draft-ietf-opsec-ipv6-implications-on-ipv4-nets-06.txt	2013-12-09 15:00:22.255579792 -0800
+++ 2/draft-ietf-opsec-ipv6-implications-on-ipv4-nets-07.txt	2013-12-09 15:00:22.295580609 -0800
@@ -1,19 +1,19 @@
 
 opsec wg                                                         F. Gont
 Internet-Draft                                      SI6 Networks/UTN-FRH
 Intended status: Informational                                    W. Liu
-Expires: May 30, 2014                                Huawei Technologies
-                                                       November 26, 2013
+Expires: June 9, 2014                                Huawei Technologies
+                                                        December 6, 2013
 
              Security Implications of IPv6 on IPv4 Networks
-           draft-ietf-opsec-ipv6-implications-on-ipv4-nets-06
+           draft-ietf-opsec-ipv6-implications-on-ipv4-nets-07
 
 Abstract
 
    This document discusses the security implications of native IPv6
    support and IPv6 transition/co-existence technologies on "IPv4-only"
    networks, and describes possible mitigations for the aforementioned
    issues.
 
 Status of This Memo
 
@@ -23,21 +23,21 @@
    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF).  Note that other groups may also distribute
    working documents as Internet-Drafts.  The list of current Internet-
    Drafts is at http://datatracker.ietf.org/drafts/current/.
 
    Internet-Drafts are draft documents valid for a maximum of six months
    and may be updated, replaced, or obsoleted by other documents at any
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on May 30, 2014.
+   This Internet-Draft will expire on June 9, 2014.
 
 Copyright Notice
 
    Copyright (c) 2013 IETF Trust and the persons identified as the
    document authors.  All rights reserved.
 
    This document is subject to BCP 78 and the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info) in effect on the date of
    publication of this document.  Please review these documents
@@ -55,28 +55,28 @@
    3.  Security Implications of Tunneling Mechanisms . . . . . . . .   5
      3.1.  Filtering 6in4  . . . . . . . . . . . . . . . . . . . . .   6
      3.2.  Filtering 6over4  . . . . . . . . . . . . . . . . . . . .   7
      3.3.  Filtering 6rd . . . . . . . . . . . . . . . . . . . . . .   7
      3.4.  Filtering 6to4  . . . . . . . . . . . . . . . . . . . . .   7
      3.5.  Filtering ISATAP  . . . . . . . . . . . . . . . . . . . .   9
      3.6.  Filtering Teredo  . . . . . . . . . . . . . . . . . . . .   9
      3.7.  Filtering Tunnel Broker with Tunnel Setup Protocol (TSP)   11
      3.8.  Filtering AYIYA . . . . . . . . . . . . . . . . . . . . .  11
    4.  Additional Considerations when Filtering IPv6 Traffic . . . .  11
-   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  12
-   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  12
+   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
+   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  13
    7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  13
    8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  13
      8.1.  Normative References  . . . . . . . . . . . . . . . . . .  13
      8.2.  Informative References  . . . . . . . . . . . . . . . . .  14
    Appendix A.  Summary of filtering rules . . . . . . . . . . . . .  17
-   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  17
+   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  18
 
 1.  Introduction
 
    Most general-purpose operating systems implement and enable native
    IPv6 [RFC2460] support and a number of transition/co-existence
    technologies by default.  Support of IPv6 by all nodes is intended to
    become best current practice [RFC6540].  Some enterprise networks
    might, however, choose to delay active use of IPv6.
 
    This document describes operational practices for enterprise networks
@@ -537,20 +537,27 @@
    traversing their devices should consider configuring their local
    recursive DNS servers to respond to queries for AAAA DNS records with
    a DNS RCODE of 0 (NOERROR) [RFC1035] or to silently ignore such
    queries, and should even consider filtering AAAA records at the
    network ingress point to prevent the internal hosts from attempting
    their own DNS resolution.  This will ensure that hosts which are on
    an IPv4-only network will only receive DNS A records, and they will
    be unlikely to attempt to use (likely broken) IPv6 connectivity to
    reach their desired destinations.
 
+   We note that in scenarios where DNSsec [RFC4033] is deployed,
+   stripping AAAA records from DNS responses would lead to DNS responses
+   elicited by queries with the DO and CD bits set [RFC4035] to be
+   considered invalid, and hence discarded.  This situation is similar
+   to that of DNS64 [RFC6147] in the presence of DNSsec and should be
+   considered a drawback associated with this approach.
+
    Additionally, it should be noted that when filtering IPv6 traffic, it
    is good practice to signal the packet drop to the source node, such
    that it is able to react to the packet drop in a more appropriate and
    timely way.
 
       For example, a firewall could signal the packet drop by means of
       an ICMPv6 error message (or TCP [RFC0793] RST segment if
       appropriate), such that the source node can e.g. quickly react as
       described in [RFC5461].
 
@@ -607,20 +614,28 @@
 
    [RFC3053]  Durand, A., Fasano, P., Guardini, I., and D. Lento, "IPv6
               Tunnel Broker", RFC 3053, January 2001.
 
    [RFC3056]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains
               via IPv4 Clouds", RFC 3056, February 2001.
 
    [RFC3068]  Huitema, C., "An Anycast Prefix for 6to4 Relay Routers",
               RFC 3068, June 2001.
 
+   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "DNS Security Introduction and Requirements", RFC
+              4033, March 2005.
+
+   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", RFC 4035, March 2005.
+
    [RFC4380]  Huitema, C., "Teredo: Tunneling IPv6 over UDP through
               Network Address Translations (NATs)", RFC 4380, February
               2006.
 
    [RFC4795]  Aboba, B., Thaler, D., and L. Esibov, "Link-local
               Multicast Name Resolution (LLMNR)", RFC 4795, January
               2007.
 
    [RFC5214]  Templin, F., Gleeson, T., and D. Thaler, "Intra-Site
               Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214,
@@ -629,20 +644,25 @@
    [RFC5569]  Despres, R., "IPv6 Rapid Deployment on IPv4
               Infrastructures (6rd)", RFC 5569, January 2010.
 
    [RFC5969]  Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4
               Infrastructures (6rd) -- Protocol Specification", RFC
               5969, August 2010.
 
    [RFC5572]  Blanchet, M. and F. Parent, "IPv6 Tunnel Broker with the
               Tunnel Setup Protocol (TSP)", RFC 5572, February 2010.
 
+   [RFC6147]  Bagnulo, M., Sullivan, A., Matthews, P., and I. van
+              Beijnum, "DNS64: DNS Extensions for Network Address
+              Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
+              April 2011.
+
 8.2.  Informative References
 
    [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7, RFC
               793, September 1981.
 
    [RFC2663]  Srisuresh, P. and M. Holdrege, "IP Network Address
               Translator (NAT) Terminology and Considerations", RFC
               2663, August 1999.
 
    [RFC3756]  Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor