IETF Logo Mail Archive

Re: [dnsop] WGLC for draft-huston-6to4-reverse-dns-04.txt

Pekka Savola <pekkas@netcore.fi> Mon, 20 March 2006 02:03 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FL9k8-0000gu-Ga for dnsop-archive@lists.ietf.org; Sun, 19 Mar 2006 21:03:36 -0500
Received: from mailapps.uoregon.edu ([128.223.142.45]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FL9k8-0004YN-1t for dnsop-archive@lists.ietf.org; Sun, 19 Mar 2006 21:03:36 -0500
Received: from mailapps.uoregon.edu (IDENT:U2FsdGVkX1/vLBz+C978Jru88LzDSCN/+lF59JhfVks@localhost [127.0.0.1]) by mailapps.uoregon.edu (8.13.5/8.13.5) with ESMTP id k2K1O7cA008314; Sun, 19 Mar 2006 17:24:07 -0800
Received: (from majordom@localhost) by mailapps.uoregon.edu (8.13.5/8.13.5/Submit) id k2K1O6sc008313; Sun, 19 Mar 2006 17:24:06 -0800
Received: from netcore.fi (netcore.fi [193.94.160.1]) by mailapps.uoregon.edu (8.13.5/8.13.5) with ESMTP id k2K1O5Fd008308 for <dnsop@lists.uoregon.edu>; Sun, 19 Mar 2006 17:24:06 -0800
Received: from netcore.fi (localhost [127.0.0.1]) by netcore.fi (8.12.8/8.12.8) with ESMTP id k2K1O1Ha008429; Mon, 20 Mar 2006 03:24:02 +0200
Received: from localhost (pekkas@localhost) by netcore.fi (8.12.8/8.12.8/Submit) with ESMTP id k2K1O1DU008426; Mon, 20 Mar 2006 03:24:01 +0200
Date: Mon, 20 Mar 2006 03:24:01 +0200
From: Pekka Savola <pekkas@netcore.fi>
To: Peter Koch <pk@denic.de>
cc: IETF DNSOP WG <dnsop@lists.uoregon.edu>
Subject: Re: [dnsop] WGLC for draft-huston-6to4-reverse-dns-04.txt
In-Reply-To: <20060309193624.GF1164@unknown.office.denic.de>
Message-ID: <Pine.LNX.4.64.0603200318220.7448@netcore.fi>
References: <20060309193624.GF1164@unknown.office.denic.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Virus-Scanned: ClamAV 0.88/1342/Sun Mar 19 13:40:32 2006 on mailapps
X-Virus-Scanned: ClamAV 0.88/1338/Sun Mar 19 02:04:12 2006 on otso.netcore.fi
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_20 autolearn=ham version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on otso.netcore.fi
Sender: owner-dnsop@lists.uoregon.edu
Precedence: bulk
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5d7a7e767f20255fce80fa0b77fb2433

On Thu, 9 Mar 2006, Peter Koch wrote:
> Please send comments and statements of support or objection to the
> WG mailing list. We'd like to ask for at least five substantive reviews.

I support the spec.

I have three bigger issues with the doc, described below but easily 
fixable, as well as a couple of editorial comments.

1) "password-based authentication deployed but not documented"
2) "is it OK to have all the DNS servers at the 6to4 site?"
3) "ability for upstream to block 6to4 delegations is inappropriate"

In addition, there is more of a meta-question raised by Mark Andrews. 
In my opinion, the real issue is whether the whether this solves the 
problem for sufficiently large/interesting subset of 6to4 users or 
whether we need something else instead or in addition.

substantial
-----------

1) "password-based authentication deployed but not documented"

    The delegation system is proposed to be self-driven by clients
    residing within 6to4 networks.  The server's delegation function is
    proposed to be accessible only by clients using 6to4 IPv6 source
    addresses, and the only delegation that can be managed is that
    corresponding to the /48 prefix of the IPv6 source address of the
    client.

==> the latter sentence does not match the service as implemented today. 
It's possible to access the delegation function by optional password
authentication. I'd suggest one of the following, with personal bias towards
either of the first two:

  a) describe the auth service as well (I'd like security folks review it),
  b) remove the auth service from the implementation, or
  c) massage the text a bit so that it doesn't imply normativeness ("..
additional authentication methods may be used as necessary..")

2) "is it OK to have all the DNS servers at the 6to4 site?"

  The delegation servers are
    checked by the delegation manager to ensure that they are responding,
    that they are configured consistently and are authoritative for the
    delegated domain.

(also a bit later..)

==> is it OK that all the auth servers are under the same 6to4 prefix (but
different IPs)?  This seems something that should probably be checked and
prohibited, as if one server would go down, the other would also likely do
so...

3) "ability for upstream to block 6to4 delegations is inappropriate"

    There may be circumstances with an IPv4 address controller wishes to
    "block" the ability for "children" to use this 6to4 scheme.
    Scenarios that would motivate this concern would include situations
    when the IPv4 provider is also offering an IPv6 service, and native
    IPv6 should be deployed instead of 6to4.  In such circumstances the
    2002 zone operator should allow for such a delegation blocking
    function upon application to the delegation zone operator.

==> I believe this doesn't make sense on various levels.  First of all, the
operators shouldn't be in the business of specifying what their users can or
can't do: if they wish to block 6to4, they can just put in ACL to block
proto-41 (or appropriate portions of it) -- there is nothing needed in the
delegation system to provide additional capabilities for this. 
Additionally, it's perfectly valid scenario to run 6to4 as an optimization
mechanism (see RFC3956 for details), on the side with native addressing. 
This could block reverse DNS delegations in such cases.

In short, the whole paragraph should be removed as unnecessary and even
harmful.



editorial
---------

    domain.  The client is primarily authenticated by it's source address

==> s/it's/its/

    This address structure allows any site that is connected to the IPv4
    Internet the ability to use IPv6 via automatically created IPv6 over
    IPv4 tunnels.

==> "any site" is not accurate as the site is required to have a public v4
address; minor reword..

    The zone files containing the end site delegations are proposed to be
    operated with a TTL (configured to be a time value in the scale of
    hours rather than days or weeks), and updates from delegation
    requests are to be made using incremental DNS updates [RFC2136].

==> it may be worth spelling out that you're talking about DNS updates
between the web interface and authoritative servers; the clients don't
perform any DNS updates.

    o  IPv4 DHCP-based 6to4 sites could inherit nonsense reverse entries
       created by previous users of the DHCP address.  In this case the
       client site could request delegation of the reverse zone as
       required.

==> it may be worth adding a forward pointer to the periodic cleanup check,
which should mitigate this problem a bit.

7.  References

==> rename this to Informative References and maybe put RFC3056 under
normative references.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

v2.23.0 | Report a Bug | By Email