Re: [Geopriv] Security considerations for LIS discovery

[Brian Rosen <br@brianrosen.net>]

Sorry, I don't get this.

I certainly understand the customer-of-the-isp issue.

However, at least in my experience, such customers don't want any reference
to their upstream providers in any service.  That means if the customer's
domain is customer.net, they want the lis to be lis.customer.net, and
isp.net has to answer to that name.  If they didn't care, then the DHCP
entry would be allowed to point directly to the ISP (and only one DHCP entry
would need to be changed if the ISP changed)

That is usually pretty straightforward, and ISPs do that.  The LIS would
have multiple credentials and use the appropriate one.

SRVs would have the same issue.  The customer would want the entry in
customer.net's lis SRV to be lis.customer.net, and the DNS resolution of
that would be an address the ISP responds to.

Brian


On 5/25/10 9:57 AM, "Ray Bellis" <Ray.Bellis@nominet.org.uk> wrote:

> On 25/05/2010 14:22, "Brian Rosen" <br@brianrosen.net> wrote:
> 
>> I am struggling a bit in understanding the problem.
>> 
>> Let¹s start with why DHCP returns example.net and UNAPTR leads to
>> lis.example.com.  Why is that not fixable?  What is hard about getting
>> consistency in the domain names?
> 
> An ISP might have N customers for whom they run a LIS, but each of those
> customers has their own domain name.
> 
> For provisioning purposes the customers would rather have the DHCP server
> configured with a name that's under their control, with a NAPTR in their
> (internal?) DNS pointing at their upstream LIS.  The redirection might be
> done directly, or they might use a non-terminal NAPTR pointing at
> "lis.example.net". Then when they change ISP they only need change a single
> DNS entry.
> 
> Also, please note that for the reverse-DNS mechanism proposed in
> draft-thomson-geopriv-res-gw-lis-discovery there's no choice but to use the
> domain name returned in the LIS URI - we certainly couldn't use
> "z.y.x.w.in-addr.arpa".
> 
> Ray
> 
> 
>