[dnsop] Issues with draft-ietf-dnsop-ipv6-dns-configuration-04.txt
Iljitsch van Beijnum <iljitsch@muada.com> Wed, 13 October 2004 10:53 UTC
Received: from darkwing.uoregon.edu (root@darkwing.uoregon.edu [128.223.142.13]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA11545 for <dnsop-archive@lists.ietf.org>; Wed, 13 Oct 2004 06:53:03 -0400 (EDT)
Received: from darkwing.uoregon.edu (majordom@localhost [127.0.0.1]) by darkwing.uoregon.edu (8.12.11/8.12.11) with ESMTP id i9D8jRAQ017140; Wed, 13 Oct 2004 01:45:27 -0700 (PDT)
Received: (from majordom@localhost) by darkwing.uoregon.edu (8.12.11/8.12.11/Submit) id i9D8jRRD017137; Wed, 13 Oct 2004 01:45:27 -0700 (PDT)
Received: from sequoia.muada.com (sequoia.muada.com [83.149.65.1]) by darkwing.uoregon.edu (8.12.11/8.12.11) with ESMTP id i9D8jPAt017116 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NOT) for <dnsop@lists.uoregon.edu>; Wed, 13 Oct 2004 01:45:26 -0700 (PDT)
Received: from [127.0.0.1] (sequoia.muada.com [83.149.65.1]) by sequoia.muada.com (8.12.10/8.12.10) with ESMTP id i9D8j8Lm059808; Wed, 13 Oct 2004 10:45:09 +0200 (CEST) (envelope-from iljitsch@muada.com)
In-Reply-To: <1C26C4BD-1C40-11D9-A17D-000A95CD987A@muada.com>
References: <20040930123627.GB29431@1-4-5.net> <1C26C4BD-1C40-11D9-A17D-000A95CD987A@muada.com>
Mime-Version: 1.0 (Apple Message framework v619)
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Message-Id: <3447371C-1CF4-11D9-A17D-000A95CD987A@muada.com>
Content-Transfer-Encoding: 7bit
Cc: dnsop@lists.uoregon.edu
From: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: [dnsop] Issues with draft-ietf-dnsop-ipv6-dns-configuration-04.txt
Date: Wed, 13 Oct 2004 10:45:15 +0200
To: iesg@ietf.org
X-Mailer: Apple Mail (2.619)
Sender: owner-dnsop@lists.uoregon.edu
Precedence: bulk
Reply-To: Iljitsch van Beijnum <iljitsch@muada.com>
Content-Transfer-Encoding: 7bit
Dear IESG, As the dnsop wg chairs have decided against another iteration on draft-ietf-dnsop-ipv6-dns-configuration-04.txt, I'm taking them up on their suggestion to send any remaining gripes directly to the IESG (with a cc to the wg list). This message is mostly the same as one I posted to the wg list yesterday. See that one for an additional list of smaller nits. First a side issue. Under the ND approach there are remarks about multicast difficulties in wireless environments. There is some additional talk about multicast in wireless environments in an appendix, but this discussion doesn't capture the real-world complexities that exist here (and that DHCP also uses multicast but the issue is very different there). The pertinent information has been discussed on the list so including it shouldn't be too hard, or maybe a spin-off informational RFC would be appropriate. Also note that there isn't much of a real-world issue: ARP in IPv4 also works, while it suffers from the same broadcast/multicast problems as IPv6 neighbor discovery. More to the point, two very important issues are missing. The first is that we are living in 2004. If this were 2001, we could simply identify the best approach and standardize it. However, IPv6 is already widely implemented in hosts and deployment is growing. The lack of a recursive resolver configuration mechanism is felt every day. If we select an approach that needs considerable implementation effort, it can be as much as two years before this approach is actually available to users. The worst choice in this regard would be the RA approach. While in itself this is a very good approach, it suffers from the fact that both routers and hosts must support it before it can be used. Implementation cycles vary widely throughout the industry, but it's safe to say that anyone who doesn't use both routers AND hosts with the shortest implementation cycle will have to wait at least until 2006 before an RA approach could conceivably be available. The DHCP approach has the advantage that it can be implemented on special purpose servers rather than having to be implemented in routers. Some systems use a very simple mechanism to configure recursive resolver addresses, and on those systems it's very easy to add a userland DHCP client daemon that handles this task. However, on widely used systems such as Windows and MacOS X reconfiguring recursive resolvers isn't something that can be easily done by a userland program. Realistically, users will have to wait until Microsoft or Apple bundle support for DHCPv6 in their products. Again, this is likely to take a significant amount of time. The well-known address approach on the other hand, can be deployed pretty much immediately. The only thing that's needed is for IANA to register a set of addresses and within weeks these addresses would be usable by any IPv6 implementation that supports DNS queries over IPv6 transport. The second issue is security. One thing that bothers me about a DHCP-only approach is that it requires networks that have otherwise no interest in DHCPv6 to run DHCPv6 servers and clients. Past experience shows that complex UDP-based protocols are often implemented insecurely. So an approach that doesn't require additional protocols would be preferable from a security standpoint. (And from management and debugging standpoints as well.) Both DHCPv6 and RA have an inherent security problem because the host is supposed to trust information that comes in from unknown sources. This makes it very easy for an on-link attacker to present itself as a legitimate DHCP server or router and provide clandestine configuration information. I believe efforts are underway to remedy this situation, but again, it will be some time before most clients will be able to use these new mechanisms in practice. In the mean time having recursive resolver information be available over insecure DHCP or RA means that attackers gain an additional attack vector. (And heavy crypto doesn't exactly go hand in hand with autoconfiguration, it remains to be seen how well this is going to work in practice for nomadic users.) Last but not least, not about the draft but about the decision that needs to be made: it worries me that this issue hasn't been resolved earlier. I believe one of the main reasons for this is that the DHCP proponents are blocking consensus on the other approaches in order to arrive at the situation where everyone implements DHCP and the issue becomes moot. Note that there are several IPR claims on parts of DHCP that may or may not apply here, adding insult to injury for those who don't want to run DHCP in the first place. The only way to overcome this abuse of the IETF process is for the IESG to recognize the lack of consensus and decide on the issue itself. Iljitsch van Beijnum . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
- [dnsop] new WGLC on "IPv6 Host Configuration of D… David Meyer
- Re: [dnsop] new WGLC on "IPv6 Host Configuration … Iljitsch van Beijnum
- Re: [dnsop] new WGLC on "IPv6 Host Configuration … Masataka Ohta
- Re: [dnsop] new WGLC on "IPv6 Host Configuration … Francis Dupont
- Re: [dnsop] new WGLC on "IPv6 Host Configuration … Iljitsch van Beijnum
- Re: [dnsop] new WGLC on "IPv6 Host Configuration … Iljitsch van Beijnum
- Re: [dnsop] new WGLC on "IPv6 Host Configuration … Masataka Ohta
- Re: [dnsop] new WGLC on "IPv6 Host Configuration … Francis Dupont
- [dnsop] Re: new WGLC on "IPv6 Host Configuration … David Meyer
- Re: [dnsop] Re: new WGLC on "IPv6 Host Configurat… Iljitsch van Beijnum
- [dnsop] Issues with draft-ietf-dnsop-ipv6-dns-con… Iljitsch van Beijnum