Re: [renum] draft-liu-6renum-gap-analysis-03
Ran Atkinson <ran.atkinson@gmail.com> Fri, 09 December 2011 12:55 UTC
Return-Path: <ran.atkinson@gmail.com>
X-Original-To: renum@ietfa.amsl.com
Delivered-To: renum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DBF421F8483 for <renum@ietfa.amsl.com>; Fri, 9 Dec 2011 04:55:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p2QpkNAMBBp9 for <renum@ietfa.amsl.com>; Fri, 9 Dec 2011 04:55:22 -0800 (PST)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 642E521F8488 for <renum@ietf.org>; Fri, 9 Dec 2011 04:55:22 -0800 (PST)
Received: by qcsf15 with SMTP id f15so2436201qcs.31 for <renum@ietf.org>; Fri, 09 Dec 2011 04:55:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=JAPH3OUvcMjEnEOUut3LqoV9DDIE/ebf+xhDRPnHUXE=; b=LmOvMuO4byUepLl0U7SvYFLcIbgsFL/5NQ6Z+2sCyTl2S7MQ297Be7Xv7hsy5FEXhR bdbsAKIB800EbfWdtG8vCQ1oxTklF5aVsHOeElGVM83gCnkSBRUOF+LhIWMikBuno8i0 xLevWYMtSUEosDO7h6LtWhmR5JA4AklYMs1vU=
Received: by 10.229.71.164 with SMTP id h36mr1829570qcj.184.1323435321918; Fri, 09 Dec 2011 04:55:21 -0800 (PST)
Received: from [10.30.20.12] (pool-96-225-134-175.nrflva.fios.verizon.net. [96.225.134.175]) by mx.google.com with ESMTPS id dk9sm16529500qab.0.2011.12.09.04.55.20 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 09 Dec 2011 04:55:20 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="us-ascii"
From: Ran Atkinson <ran.atkinson@gmail.com>
In-Reply-To: <5D36713D8A4E7348A7E10DF7437A4B9218580CF0@SZXEML506-MBX.china.huawei.com>
Date: Fri, 09 Dec 2011 07:55:19 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <7D6F6DAB-D8B3-46AA-8339-D9B92E6356F1@gmail.com>
References: <5C46AA96-3CDA-41AD-8197-E7989DEC2609@gmail.com> <5D36713D8A4E7348A7E10DF7437A4B9218580CF0@SZXEML506-MBX.china.huawei.com>
To: Sheng Jiang <jiangsheng@huawei.com>
X-Mailer: Apple Mail (2.1251.1)
X-Mailman-Approved-At: Fri, 09 Dec 2011 07:32:23 -0800
Cc: "renum@ietf.org" <renum@ietf.org>
Subject: Re: [renum] draft-liu-6renum-gap-analysis-03
X-BeenThere: renum@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Renumbering discussion mailing list." <renum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/renum>, <mailto:renum-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/renum>
List-Post: <mailto:renum@ietf.org>
List-Help: <mailto:renum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/renum>, <mailto:renum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2011 12:55:23 -0000
On 09 Dec 2011, at 01:49 , Sheng Jiang wrote: > Yes, our statement above is mainly based on BIND implementations. > We think most of DNS servers are BIND-based, 80% and above > (unverified estimation). So, Bind itself is the majority. BIND is quite common with ISPs and content providers, but Microsoft Server might well be the majority for *enterprise* sites. Since this document is focused on renumbering situations, Microsoft Server's DNS might well be the majority for the renumbering situation. Unlike UNIX deployments of BIND, which stand alone, Microsoft reportedly has fully integrated DNS with other services (e.g. DHCP, Windows Work groups) inside the Microsoft Windows Server. So reports say that there is no "flat file" with DNS entries. Reportedly, there is also no "loading of the DNS entries". Instead, there is full integration of DNS with the other services, and things are GUI-based and systemic for the whole deployment. I'm told that Apple's MacOS X Server takes a very similar approach to Microsoft Windows Server, with integration and a GUI front-end for the whole deployment. Apple apparently does use BIND code behind-the-scenes, but system administrators never interact with BIND directly and again there are no "flat files" to load because everything is behind a common server GUI. > We will contact Cricket Liu for the detail and > how common this is. We will update our text accordingly. Why not start first by reading his book (which is quite clear) ? It is a published O'Reilly book and should be readily available. According to the book, Microsoft Windows Server automatically enables Dynamic DNS Update between the Windows clients and the Windows server in a number of situations. So deployment of Dynamic DNS UPdate is proportional to deployments of Microsoft Windows server, which ought to be pretty common in an enterprise scenario. >> In Section 10, the above draft in part says: >>> In the LAN, Secure DHCPv6 ([I-D.ietf-dhc-secure-dhcpv6]) or >>> SeND ([RFC3971], Secure Neighbor Discovery) deployment >>> may need to validate prefixes. >> >> >> If one thinks that configuring keys for Secure Dynamic >> DNS Update is difficult or challenging, then it is >> unavoidable to conclude that neither Secure DHCPv6 >> nor SEND are actually deployable at present. >> >> I think the problems with key management deserve their >> own subsection in Section 10 -- as a category of "gap" >> that ought to be addressed. That new subsection ought >> to note the operational issues with key provisioning >> and key management for Secure Dynamic DNS Update >> (at least for non-MS nodes) and equally or more so >> for Secure DHCPv6 and SEND. One would hope these >> would not fall into the "unsolvable gap" category, >> but in any event these gaps do need to be clearly >> documented. > > The key management is a complicated issue. It is worth > a separated draft. It is relevant. However, we don't > think it is a renumbering specific issue. We will add > some new text for it. But we would like to leave it out of scope. I do not think that ignoring the issue or declaring it out-of-scope is a legitimate position to take for this document. IETF rules require that ALL documents must fully address Security Considerations *within their own document*. Ignoring that topic -- or shunting it off to other documents -- will result in a Last Call objection from me and possibly others on the very solid technical grounds that the Security Considerations are known to be deficient. >> Similarly, there is a practical operational "gap" in >> that we have no way to automatically update ACLs during >> a renumbering event. This also needs to be documented >> as a gap. > > We did list ACL as part of filter, see Section 6.3. I did. It is not nearly clear enough. More text is needed -- and since it is a Security Consideration it also needs to be referenced in the Security Considerations section of the document. Last, it is very very rude and offensive to take any private email and post it to any public mailing list without prior permission of the author -- as you have done today. Yours, Ran
- Re: [renum] draft-liu-6renum-gap-analysis-03 Sheng Jiang
- Re: [renum] draft-liu-6renum-gap-analysis-03 Ran Atkinson
- Re: [renum] draft-liu-6renum-gap-analysis-03 Mark Andrews
- [renum] Key management [draft-liu-6renum-gap-anal… Brian E Carpenter
- Re: [renum] Key management [draft-liu-6renum-gap-… Mark Andrews
- Re: [renum] draft-liu-6renum-gap-analysis-03 Leo Liu(bing)