IETF Logo Mail Archive

Re: [Gen-art] Gen-ART review of draft-huston-6to4-reverse-dns-07.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 18 July 2007 07:45 UTC

Return-path: <gen-art-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IB4E2-0002Sm-8f; Wed, 18 Jul 2007 03:45:34 -0400
Received: from gen-art by megatron.ietf.org with local (Exim 4.43) id 1IB4E0-0002SM-4O for gen-art-confirm+ok@megatron.ietf.org; Wed, 18 Jul 2007 03:45:32 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IB4Dy-0002RT-7i for gen-art@ietf.org; Wed, 18 Jul 2007 03:45:30 -0400
Received: from an-out-0708.google.com ([209.85.132.250]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IB4Dx-0006vx-Bz for gen-art@ietf.org; Wed, 18 Jul 2007 03:45:30 -0400
Received: by an-out-0708.google.com with SMTP id c17so21548anc for <gen-art@ietf.org>; Wed, 18 Jul 2007 00:45:29 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=YNfujWkqn8INccAD0PtqAc1IYN+m9Hag4jK+0pdUjkDFpto/+23jWADV4fCeWlkWA2qeGIbzuwpjR0rthf+LqaAxzzh62/FraeKgr7gwnwRrJRPUwuRte1ubSdGvobB8QPTI/F0qFXACzsB5M9CZxvA2LfavfHmfhbqkGc2kXns=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=mGnxjYnlXYHefU9ErusojmUtANtCNvxJQpUMCEdDbCCupmyxzyPwMJKZZOwCEm7ZXQQ40peeC/03ht3ioH62t0e4QR4CQjtVsI9hNqdK/3zyVt2HvBN7k202wEF7Y8jZ7wStXt27ZSTK9u9YTXa5yqTGtkSpmrLZc/jIpcJRBp4=
Received: by 10.66.222.9 with SMTP id u9mr149983ugg.1184744727945; Wed, 18 Jul 2007 00:45:27 -0700 (PDT)
Received: from ?10.10.50.1? ( [213.3.13.1]) by mx.google.com with ESMTPS id f7sm2741488nfh.2007.07.18.00.45.25 (version=SSLv3 cipher=RC4-MD5); Wed, 18 Jul 2007 00:45:26 -0700 (PDT)
Message-ID: <469DC50E.4060302@gmail.com>
Date: Wed, 18 Jul 2007 09:45:18 +0200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: Black_David@emc.com
Subject: Re: [Gen-art] Gen-ART review of draft-huston-6to4-reverse-dns-07.txt
References: <F222151D3323874393F83102D614E0550A4D2322@CORPUSMX20A.corp.emc.com>
In-Reply-To: <F222151D3323874393F83102D614E0550A4D2322@CORPUSMX20A.corp.emc.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3e15cc4fdc61d7bce84032741d11c8e5
Cc: pk@DENIC.DE, rbonica@juniper.net, gen-art@ietf.org, gih@apnic.net
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org

On 2007-07-17 20:06, Black_David@emc.com wrote:
...
> The draft is in generally good shape, but I think the first
> two potential issues noted in Section 4 Delegation Administration
> need further attention:
> 
>    o  Clients inside a 6to4 site could alter the delegation details
>       without the knowledge of the site administrator.  It is noted that
>       this is intended for small-scale sites.  Where there are potential
>       issues of unauthorized access to this delegation function the
>       local site administrator could take appropriate access control
>       measures.
> 
> Independent of intent, this will get used for larger scale sites.
> Some form of prefix control exercisable by the site administrator
> would be a good idea.  This may not be possible in all cases as
> details of provider address allocation aren't always available
> beyond the address block allocated by the registry, but the topic
> needs some more thought.  Failing that, this is a v6 firewall
> configuration issue, and the need for a firewall to support this
> for administratively-controlled multi-address sites should be
> called out in the Security Considerations section.

It doesn't seem hard - it means that access to https://6to4.nro.net
has to be controlled, and there are many firewalls intrusive
enough to do that.

> 
>    o  IPv4 DHCP-based 6to4 sites, or any 6to4 site that uses
>       dynamically-assigned external IPv4 interface addresses, could
>       inherit nonsense reverse entries created by previous users of the
>       dynamically assigned address.  In this case the client site could
>       request delegation of the reverse zone as required.
> 
> This is an invitation to serious problems.  There ought to be a
> way in the service to add a delegation expiration time when a
> delegation is requested (e.g., a slightly smart piece of client
> software could then put in the DHCP lease expiration time and
> update the delegation when renewing the DHCP lease).  Inheriting
> someone else's reverse DNS delegation because DHCP re-allocated
> the IP address is not what I would consider expected behavior.
> 

No, but the combination of 6to4 in site mode with a single
dynamically assigned IPv4 address for a whole site seems a little
outside the parameters 6to4 was designed for. Remember that a 6to4
site also has to establish an ongoing relationship with a 6to4 relay
router. I don't think a model where all that has to be re-done
after a power cut or an ISP glitch is very plausible. Rather than
adding a lifetime mechanism, why need make this a SHOULD NOT?
(i.e. If reverse delegation is needed the site SHOULD NOT use
a non-fixed IPv4ADDR for 6to4.)

      Brian



_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www1.ietf.org/mailman/listinfo/gen-art

v2.23.0 | Report a Bug | By Email