Re: [RAM] Renumbering impossibility: TSL/SSL certs, DNS delegation etc.
Robin Whittle <rw@firstpr.com.au> Tue, 07 August 2007 16:00 UTC
Return-path: <ram-bounces@iab.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IIRUL-00075f-Cd; Tue, 07 Aug 2007 12:00:53 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IIRUK-00075L-09 for ram@iab.org; Tue, 07 Aug 2007 12:00:52 -0400
Received: from gair.firstpr.com.au ([150.101.162.123]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IIRUH-00008C-FH for ram@iab.org; Tue, 07 Aug 2007 12:00:51 -0400
Received: from [10.0.0.8] (zita.firstpr.com.au [10.0.0.8]) by gair.firstpr.com.au (Postfix) with ESMTP id B932959E54; Wed, 8 Aug 2007 02:00:46 +1000 (EST)
Message-ID: <46B8971C.3020008@firstpr.com.au>
Date: Wed, 08 Aug 2007 02:00:28 +1000
From: Robin Whittle <rw@firstpr.com.au>
Organization: First Principles
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: ram@iab.org
Subject: Re: [RAM] Renumbering impossibility: TSL/SSL certs, DNS delegation etc.
References: <46B294D6.7070700@firstpr.com.au> <20070803095100.GF69215@Space.Net>
In-Reply-To: <20070803095100.GF69215@Space.Net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b5d20af10c334b36874c0264b10f59f1
Cc:
X-BeenThere: ram@iab.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Routing and Addressing Mailing List <ram.iab.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ram>
List-Post: <mailto:ram@iab.org>
List-Help: <mailto:ram-request@iab.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ram>, <mailto:ram-request@iab.org?subject=subscribe>
Errors-To: ram-bounces@iab.org
I was wrong to assume that TLS/SSL certificates necessarily involved IP addresses. I understand they can bind hostnames too. I made this mistake because I knew TLS/SSL required a different IP address for each logical website. Gert Doering clarified this for me. The restriction is not in the TLS/SSL certificate, but in the way the server has to use a single certificate at the moment a TCP connection is established, which means only one certificate can be used for any IP address. Gert wrote: >> As far as I know, this notion of IPv6 end-users supposedly being >> happy with PA space and automated renumbering has been going on for >> ten years or so. Hadn't anyone thought of all the config files >> (named, httpd, imapd, firewall etc.), SSL certs, DNS delegation etc.? > > Most end user networks neither run name servers nor SSL certs, etc., in > their network range - they delegate that task to their service providers. I can't cite counter examples, but I would have thought that many networks would be running their own mailserver, with integrated IMAP and probably web-based email software, which should run via TLS/SSL. Also, they would be running links to other offices, which would all need to be broken and re-established on new IP addresses if multihoming meant getting new addresses. What about SSHing from outside into a server in the network? It would be not such a good thing to find the server suddenly on another IP address from last time, due to a multihoming service restoration operation. I assume SSH would be fussy about that, but perhaps I am wrong about that too. This wouldn't prevent a connection, its just that there would be warnings etc. - which should ideally only occur something really is wrong. If the network suddenly winds up on a different set of addresses, I don't see how it would be possible to automatically update the DNS records for all relevant hostnames. The master nameserver could be in the current network, or anywhere in the world. That and the slaves have caching times to reduce their load, so this will leave some hosts with the old IP address for an hour or whatever after the MH service restoration event. I like running my own master nameserver at home, and having a slave in a server on the other side of the world. Having the whole network suddenly adopt new addresses due to some multihoming service restoration event sounds like 100% trouble and 0% convenience and elegance. It would be far better to have portable IP addresses which remained the same no matter what happened with multihoming. > "all the config files" should contain host names, not IP addresses > (that's what DNS has been invented for, half a century ago). I agree. But how could an automated system update the zone files, restart the nameservers, and then wait for an appropriate time (maybe restarting local caching nameservers to clear their cache) before somehow automatically reloading configurations, re-running start-up scripts or whatever - in an order which is not going to cause some troubles? > Of course there are larger "end users" (corporate networks) that have > local servers in their network - but even then, with proper planning > in the setup phase (and that means "not putting IP addresses in places > that should have server names"), renumbering is not painless, but also > not impossible. It mostly boils down to firewall rules, and changing > glue for a few name servers (again, the "proper planning" thing). Every one of these administrators would surely prefer to have portability and to keep the same addresses during multihoming service restoration. There are various arguments about why something might be possible, or why it would be feasible if only programmers did the right thing, and why it would be best to do this thing for the Greater Good. But the argument is against a network keeping its own IP addresses no matter what, people might nod in general agreement - but they would be nuts to say that there is no cost, no risk etc. making their network suddenly switch to a new set of addresses just because one multihomed link went down, or because they want another ISP. I am adamant that end-users need portability and portability based multihoming, not some supposedly easy renumbering process and multihoming which automagically renumbers their network. - Robin _______________________________________________ RAM mailing list RAM@iab.org https://www1.ietf.org/mailman/listinfo/ram
- [RAM] Renumbering impossibility: TSL/SSL certs, D… Robin Whittle
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Thomas Narten
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Gert Doering
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Stig Venaas
- [RAM] Re: Renumbering impossibility: TSL/SSL cert… Stephane Bortzmeyer
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Robin Whittle
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Olivier Bonaventure
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Robin Whittle
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Gert Doering
- [RAM] "End-users" & things I think warrant more a… Robin Whittle
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… JFC Morfin
- [RAM] Re: Renumbering impossibility: TSL/SSL cert… Stephane Bortzmeyer
- [RAM] Re: Renumbering impossibility: TSL/SSL cert… Stephane Bortzmeyer
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … Gert Doering
- [RAM] Re: Renumbering impossibility: TSL/SSL cert… Gert Doering
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … JFC Morfin
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … Thomas Narten
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … Gert Doering
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … JFC Morfin
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … JFC Morfin
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … Roland Dobbins
- Re: [RAM] Re: Renumbering impossibility: TSL/SSL … JFC Morfin
- Re: [RAM] Renumbering impossibility: TSL/SSL cert… Jari Arkko