MIF/MPVD using reverse DNS (and special purpose prefixes)
Steven Barth <cyrus@openwrt.org> Thu, 15 October 2015 12:45 UTC
Return-Path: <cyrus@openwrt.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 229DB1B3127 for <ipv6@ietfa.amsl.com>; Thu, 15 Oct 2015 05:45:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.549
X-Spam-Level:
X-Spam-Status: No, score=-1.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, SPF_FAIL=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VnKrDFVsO5_c for <ipv6@ietfa.amsl.com>; Thu, 15 Oct 2015 05:45:30 -0700 (PDT)
Received: from mail.core-networks.de (mail.core-networks.de [IPv6:2001:1bc0:d::4:9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A03F1B312A for <ipv6@ietf.org>; Thu, 15 Oct 2015 05:45:30 -0700 (PDT)
Received: from localhost ([127.0.0.1]) by mail.core-networks.de id 1ZmhuR-0006hN-8k with ESMTPSA (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) for ; Thu, 15 Oct 2015 14:45:27 +0200
Subject: MIF/MPVD using reverse DNS (and special purpose prefixes)
To: ipv6@ietf.org
References: <20151015111134.31835.34636.idtracker@ietfa.amsl.com>
From: Steven Barth <cyrus@openwrt.org>
Message-ID: <561F9FE6.7050404@openwrt.org>
Date: Thu, 15 Oct 2015 14:45:26 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Icedove/40.0
MIME-Version: 1.0
In-Reply-To: <20151015111134.31835.34636.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/5ZF3ubnlcQ5lb0AlZt8OO9jCG30>
Cc: Markus Stenberg <markus.stenberg@iki.fi>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2015 12:45:32 -0000
Hey everyone, Markus and I have been thinking about an alternative solution to do multiple interfaces / multiple provisioning domains. Contrary to previous solutions, this one only defines one additional (and even optional) flag to RAs and keeps the actual information out-of-band. This draft has some implications wrt. host behavior and multi-homing so we are x-posting this here. Let us know if you have any comments and if there is general interest we could request a slot as well. Draft: https://datatracker.ietf.org/doc/draft-stenberg-mif-mpvd-dns/ Abstract & comparison to previous MIF approaches below. Cheers, Steven & Markus Abstract This document describes a mechanism to transmit and secure provisioning domain information for IPv6 and IPv4 addresses by using reverse DNS resolution. In addition it specifies backwards- compatible extensions to IPv6 host configuration to support special- purpose global IPv6 prefixes which can only be used to access certain isolated services. The authors consider pros of this proposal to be: o No overhead for hosts that do not care (possibly most; no spurious RA options, ...) o No problems with relaying data; if the first-hop device does not care, DNS requests propagate onward. o Little/no changes to DHCP, DHCPv6, DHCPv6-PD or RA. o Much more scalable; no worries about multicast packet size limits. o No duplication of specifications / TLVs for DHCP, DHCPv6 and RA. o Solves m:n prefix <-> PVD elegantly: no need to either duplicate applying prefix for each PVD or duplicate each PVD for each applying prefix. o Easily extensible (TXT records, no TLV definitions, parsing and generation necessary) o Probably not affected by IPR on draft-ietf-mif-mpvd-dhcp-support o Reuses the existing reverse DNS infrastructure The authors consider cons of this proposal to be: o This scheme requires DNS servers 'close' on the path to the user, if changed information is to be sent; otherwise centralized solution would work (with some synthesized records). o Security using either DNSSEC or in-band hashes is rather painful (but possibly not more than the scheme in the current DHCP/RA drafts), so the default would most likely be insecure. That is not much different from DHCP*/RA, which are also 99.999...% of the time not secured.
- MIF/MPVD using reverse DNS (and special purpose p… Steven Barth