IETF Logo Mail Archive

Re: [v6ops] PI [ULA draft revision #2 Regarding isolated networks]

Mark Andrews <marka@isc.org> Sat, 31 May 2014 22:24 UTC

Return-Path: <marka@isc.org>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B1151A0115 for <v6ops@ietfa.amsl.com>; Sat, 31 May 2014 15:24:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.252
X-Spam-Level:
X-Spam-Status: No, score=-5.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MANGLED_PRBLMS=2.3, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f6RPAhsUlIZj for <v6ops@ietfa.amsl.com>; Sat, 31 May 2014 15:23:59 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by ietfa.amsl.com (Postfix) with ESMTP id 5DCA81A0114 for <v6ops@ietf.org>; Sat, 31 May 2014 15:23:59 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP id F38A33493B4; Sat, 31 May 2014 22:23:53 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 7E1CF160067; Sat, 31 May 2014 22:28:50 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 1A90316004E; Sat, 31 May 2014 22:28:50 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 8A5D8171A140; Sun, 1 Jun 2014 08:23:21 +1000 (EST)
To: Gert Doering <gert@space.net>
From: Mark Andrews <marka@isc.org>
References: <m2iooq4oqi.wl%randy@psg.com> <5385762E.5020901@dougbarton.us> <5385AA97.1050207@fud.no> <53864DCB.5070202@gmail.com> <53865EA2.9000502@fud.no> <02dc01cf7c06$cc6a4bc0$4001a8c0@gateway.2wire.net> <97390E9C-460F-4D08-AFCE-E4A991E2B0E4@cisco.com> <46D22F62-3528-4B9D-9FCF-C9C7466A9ABA@delong.com> <20140531104145.GQ46558@Space.Net> <m1WqqZ4-0000DqC@stereo.hq.phicoh.net> <20140531213133.GB46558@Space.Net>
In-reply-to: Your message of "Sat, 31 May 2014 23:31:33 +0200." <20140531213133.GB46558@Space.Net>
Date: Sun, 01 Jun 2014 08:23:21 +1000
Message-Id: <20140531222321.8A5D8171A140@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/5sAADWn-oovxShNh07ZFtFF--qU
Cc: Philip Homburg <pch-v6ops-3a@u-1.phicoh.com>, V6 Ops List <v6ops@ietf.org>
Subject: Re: [v6ops] PI [ULA draft revision #2 Regarding isolated networks]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 May 2014 22:24:01 -0000

In message <20140531213133.GB46558@Space.Net>, Gert Doering writes:
> Hi,
> 
> On Sat, May 31, 2014 at 11:11:42PM +0200, Philip Homburg wrote:
> > >Maybe you should step down from your "I have PI, I like it, everybody must
> > >have PI" soapbox and actually look at what, for example, homenet has 
> > >achieved in the last years.  This stuff looks complicated (and under the
> > >hood, it is), but the end user experience "take this box, plug in a number
> > >of ISPs, things work, no further configuration is needed(*)" is nothing yo
> u
> > >can match with a PI network.
> > 
> > I can see how you can do do multiple PA prefixes client side. Done that
> > for years now. Even with different routers providing the upstreams. No prob
> lem
> > there.
> > 
> > But I have nothing to update my DNS zones. How do I reflect which links 
> > are up or down? Is there even a draft for that? What's the BCP for TTL
> > values, DNSSEC, etc?
> 
> This is where things get interesting.  You, Owen, I are not "the 99% home
> users out there" - home users don't do DNS zones, because they do not 
> control a DNS server...  (they do mDNS because it's automatic and works
> fine for in-house purposes).   Where this falls apart, of course, is when
> you need to setup some sort of "call me" service, like remote help, 
> access your home disks from abroad, etc.
> 
> Some router vendors (AVM) have started to offer dyn-dns services that
> attach the current (dynamic) prefix to a statically known host-id and
> thus provide DNS to reach "home devices".  I'm not aware of specific 
> drafts that govern how IETF thinks this *should* be done, though.

The IETF has published exactly one method for updating the DNS (RFC 2136).
It has standardized several methods for securing that update.

RFC 2136: Dynamic Updates in the Domain Name System (DNS UPDATE)
RFC 2845: Secret Key Transaction Authentication for DNS (TSIG)
RFC 2931: DNS Request and Transaction Signatures ( SIG(0)s )
RFC 3645: Generic Security Service Algorithm for
         Secret Key Transaction Authentication for DNS (GSS-TSIG)

Now there are some other adhoc methods by various dynamic DNS
providers but UPDATE + TSIG and UPDATE + GSS-TSIG have been using
by enterprises for over a decade now depending upon whether you are
a Microsoft AD Enterprise (UPDATE + GSS-TSIG) or not (UPDATE + TSIG)
from the DHCP server.

UPDATE + TSIG work fine from a CPE device.
UPDATE + TSIG work fine from a node one you have configured shared TSIG
	keys.

TSIG is just username + password and when you present it as username
+ password it is understood by the average punter.

UPDATE + SIG(0) works fine from a node one the administrator has added
	the KEY record for the node to the zone usually using UPDATE + TSIG.
UPDATE + GSS-TSIG work fine for Microsoft AD sites where each node is
	add to the AD DOMAIN and gets a Kerberos key which it uses with
	UPDATE to update its own information.

All of these method work.  All of them can be in ACLs to restrict the updates
down to the RRset level.  Now if someone wants to write a BCP saying that
nodes should support UPDATE.  That nodes should add their addresses to the
DNS when they change I would be all for it.

Apple already do UPDATE + TSIG.
Microsoft already do UPDATE + GSS-TSIG.

Mark


> Gert Doering
>         -- NetMaster
> -- 
> have you enabled IPv6 on something today...?
> 
> SpaceNet AG                        Vorstand: Sebastian v. Bomhard
> Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email