Re: [v6ops] Enterprise Guidance on IPv6 (draft-chkpvc-enterprise-incremental-ipv6-00)
Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 17 June 2012 09:29 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5061421F85F6 for <v6ops@ietfa.amsl.com>; Sun, 17 Jun 2012 02:29:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -89.991
X-Spam-Level:
X-Spam-Status: No, score=-89.991 tagged_above=-999 required=5 tests=[AWL=-11.115, BAYES_20=-0.74, J_CHICKENPOX_13=0.6, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1, SARE_SUB_6CONS_WORD=0.356, URIBL_BLACK=20, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MP08JpfqX+uJ for <v6ops@ietfa.amsl.com>; Sun, 17 Jun 2012 02:29:07 -0700 (PDT)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id 20DB421F85CC for <v6ops@ietf.org>; Sun, 17 Jun 2012 02:29:06 -0700 (PDT)
Received: by eaaq13 with SMTP id q13so1420591eaa.31 for <v6ops@ietf.org>; Sun, 17 Jun 2012 02:29:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=wlXb8/pYXoZ7PS75ZvRK6CSwv21HuKdc/h2spFHzqok=; b=mry1BOmp3oueVOEMz4LBlFeob74eYqkNiIam4UuGRrdP/jdBw188VFPoLd++2VY+BM J6XP8kB1nfNWnPywgRcpV3jCBYTTuYZd4/E9rguBdYJXt5ixofLoctzl6OkE3Yyparbv LE7/J/zwFznFP4jakZdzMmGSdGv/LdEoaQ/F7EEA46MBujy9H/kPvVncqLzDdGsUys8Y wUOUIBnXSQcnTtENjWz+DTGeEAqAnnJinvEs1oO/Du5mGOmg3RW2FKvvhiCLVU9bsLaS 8vjzwkW62OMuilNWLchWEOi7/evoW3rid/w5nKzoV0QffBrSzIWq854rw9kv3rNPClIB Fwxw==
Received: by 10.14.97.77 with SMTP id s53mr2569746eef.104.1339925345962; Sun, 17 Jun 2012 02:29:05 -0700 (PDT)
Received: from [192.168.1.66] (host-2-102-218-189.as13285.net. [2.102.218.189]) by mx.google.com with ESMTPS id y12sm48977277eem.7.2012.06.17.02.29.04 (version=SSLv3 cipher=OTHER); Sun, 17 Jun 2012 02:29:05 -0700 (PDT)
Message-ID: <4FDDA35E.9050701@gmail.com>
Date: Sun, 17 Jun 2012 10:29:02 +0100
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Ray Hunter <v6ops@globis.net>
References: <000301cd4801$1f059880$5d10c980$@asgard.org> <4FD8B188.1000403@globis.net> <002701cd4a3e$99e19ce0$cda4d6a0$@asgard.org> <4FDA19FC.1010606@globis.net>
In-Reply-To: <4FDA19FC.1010606@globis.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: 'IPv6 Operations' <v6ops@ietf.org>
Subject: Re: [v6ops] Enterprise Guidance on IPv6 (draft-chkpvc-enterprise-incremental-ipv6-00)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jun 2012 09:29:09 -0000
Re split DNS, someone pointed me at this interesting draft: http://tools.ietf.org/html/draft-krishnaswamy-dnsop-dnssec-split-view Not a popular topic in DNS land, of course. Regards Brian On 2012-06-14 18:06, Ray Hunter wrote: > inline >> Lee Howard <mailto:lee@asgard.org> >> 14 June 2012 17:01 >>> -----Original Message----- >>> From: Ray Hunter [mailto:v6ops@globis.net] >>> Sent: Wednesday, June 13, 2012 11:28 AM >>> To: Lee Howard >>> Cc: 'Victor Kuarsingh'; 'IPv6 Operations' >>> Subject: Re: [v6ops] Enterprise Guidance on IPv6 >>> (draft-chkpvc-enterprise-incremental- >>> ipv6-00) >>> >>> Regardless of whether this draft is the vehicle or not, one thing >>> that I think is missing is that >>> large enterprises currently almost universally use some sort of >>> centralized gateway or proxy >>> to access the Internet, coupled with "split DNS" (whether the IETF >>> likes that or not >> >> "Split DNS" meaning that different responses are returned depending on >> whether the query >> comes from within the enterprise or from outside? >> For instance, an employee can reach ACCOUNTING.EXAMPLE.COM internally, >> because the >> name server returns a net 10 address, but a query from outside receives >> NXDOMAIN? > I believe "Split DNS" can mean several things, which is why I placed it > in quotes. > > I don't think Split DNS was ever acknowledged as a standard. But it is > widely deployed in enterprises AFAIK. One reason was to mitigate against > cache poisoning. Another was to be able to use DNS with RFC1918 > addresses before this was supported on common implementations. Another > was just so that internal name and address space was completely private > in manufacturing environments. Another was for test & development > environments. Another was so that dynamically updated names in AD could > remain relatively secure from external interference. > > So the namespace can be split, or the transport, or both. > > I believe I've seen: > > 1) internal hidden servers that serve different zones internally as the > external servers. These internal hidden masters may be used to source > zone transfers to sacrificial external slave servers that serve a subset > of the namespace. So ext.example.com may be served externally, but > int.example.com may be restricted to the internal servers (simply by not > having the secondary zone configured on the external server). The > internal servers may or may not be able to resolve Internet names > (sometimes via a proxy DNS setup) Here we have a split namespace, and > potentially a split transport (depending on how internal hosts resolve > external addresses) > > 2) A single set of DNS servers that serve different answers based on > some parameter from the query e.g. a single DNS server using BIND > "views" to provide an answer for accounting.example.com based on the > source address of the query matching an on-enterprise-net pattern, that > is not resolvable for off-enterprise-net addresses. Here we're clearly > talking about split namespace, but contiguous transport. > > 3) Completely separate internal and external servers serving the same > logical zone but with different content and sometimes managed completely > separately e.g. www.example.com hosted externally at a hosting provider > for a corporate website for public consumption, and a separate > employee's version of the same website iww.example.com hosted internally > by the IT department. The external DNS servers may have an Internet > hints file and a be managed by the hosting provider. The internal DNS > servers may have a (fake) master root zone and be managed by the IT > department. Internal hosts normally will not be able to resolve > www.external.com or www.example.com and are pointed to an appropriate > web proxy via a proxy pac file. Here we're talking about split namespace > and split transport. Sometimes there may even be conflicting or > overlapping namespace. > > 4) Completely fictitious internal A record entries for trusted 3rd party > companies where there is a private link between the two companies > together with a contractual agreement defining responsibilities e.g. for > B2B transactions or for managing outsourced systems, or providing > outsourced services to example.com. This is just a horrible kludge. > > 5) Equivalent of a .local namespace for dev, test & production. So > there'd be overlapping address space for hostname-x.dev.company.com > hostname-x.test.company.com hostname-x.production.company.com. As > software moved from one environment to the next, all that was changed > was the DNS default search domain (no machine renumbering needed in > order to avoid problems with high availability scripts having to be > edited). Some people even used identical setups for all 3 environments > (identical names, addresses & domains) to avoid changing anything as > solutions were transported between environments (via hard media). > > 6) Manufacturing environments that were meant to be completely isolated > (yes I know) that use private RFC1918 IP space. > > Don't shoot the messenger. >>> Many enterprises have expressed a desire to become "Internet Centric" >>> whatever that is. They're also moving very rapidly to cloud services for >> generic applications. >>> However, they'll still need private enterprise networks with SLAs for >>> many >> other business >>> critical services ad interim, at least until the generic Internet >>> supports >> an equivalent of >>> Diffserv. >>> Multiple IPv6 addresses per node, with a combination of PI space for the >> enterprise network >>> and PA space fromlocal providers, is making direct proxy-free nat-free >> local Internet >>> breakout potentially possible (together with MIF and appropriate address >> selection). >>> DNSSEC is also potentially attractive to facilitate/ restore a basic end >> to end trust model. >>> So I think we know where we're starting, and I think we know where we >>> end >> up, but is there >>> any operational advice available on the steps that would be required to >> e.g. "unsplit DNS" >>> (and remove proxies) when introducing IPv6? >> >> What changes? You can still return NXDOMAIN if you don't like the >> querier. >> Or you can >> respond with a AAAA and rely on your security to protect your accounting >> system. > You're assuming that the transport has always been contiguous between > internal and external hosts and DNS servers, and that there is a single > consistent set of authoritative name servers for a common Worldwide > namespace. That is rarely the case AFAIK. >>> In other words, how do we restore the end to end model without breaking >> stuff on the way? >> >> I may be misunderstanding you, though, since I'm not sure how the >> end-to-end >> principle >> applies to this DNS setup. >> Yes, GUA addressing makes it possible to eliminate NAT, but whether >> enterprises eliminate >> proxies depends on their policy reasons for implementing them in the >> first >> place. >> >> What should we say about all this? > It's relatively easily to define a flexible PI based IPv6 addressing > plan so that return routes can be de-aggregated as necessary (based on > Internet latency) as the number of direct Internet gateways grows. That > might be a useful hint for enterprises as they remove proxies and > increase local breakout. > > But I really don't know at the moment what's the best roadmap for > migrating the DNS and the namespace to being "Internet centric", which > is why I asked the WG ;) > > It could get very complex because you can learn or leak IPv4 information > (e.g. RFC1918 addresses, private namespace, or conflicting namespace) > over an IPv6 transport connection (which will be end-to-end > transparent), but which would not be transported over an IPv4 connection > (the IPv4 transport either never existed, was DNS forwarded or proxied, > or was NATted). Then add caching and mobile end nodes into the mix. > > I suspect it will be quite easy for enterprises to paint themselves into > a corner, if they haven't already. And if they already have, what do > they do? > > regards, > RayH > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] Enterprise Guidance on IPv6 (draft-chkpvc… Lee Howard
- Re: [v6ops] Enterprise Guidance on IPv6 (draft-ch… Ray Hunter
- Re: [v6ops] Enterprise Guidance on IPv6 (draft-ch… Templin, Fred L
- Re: [v6ops] Enterprise Guidance on IPv6 (draft-ch… Victor Kuarsingh
- Re: [v6ops] Enterprise Guidance on IPv6 (draft-ch… Victor Kuarsingh
- Re: [v6ops] Enterprise Guidance on IPv6 (draft-ch… Templin, Fred L
- Re: [v6ops] Enterprise Guidance on IPv6 (draft-ch… Lee Howard
- Re: [v6ops] Enterprise Guidance on IPv6 (draft-ch… Ray Hunter
- Re: [v6ops] Enterprise Guidance on IPv6 (draft-ch… Brian E Carpenter
- Re: [v6ops] Enterprise Guidance on IPv6 (draft-ch… Fred Baker
- Re: [v6ops] Enterprise Guidance on IPv6 (draft-ch… Fred Baker
- Re: [v6ops] Enterprise Guidance on IPv6 (draft-ch… Brian E Carpenter
- Re: [v6ops] Enterprise Guidance on IPv6 (draft-ch… Tina TSOU