IETF Logo Mail Archive

Re: [v6ops] Enterprise Guidance on IPv6 (draft-chkpvc-enterprise-incremental-ipv6-00)

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 17 June 2012 09:29 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5061421F85F6 for <v6ops@ietfa.amsl.com>; Sun, 17 Jun 2012 02:29:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -89.991
X-Spam-Level:
X-Spam-Status: No, score=-89.991 tagged_above=-999 required=5 tests=[AWL=-11.115, BAYES_20=-0.74, J_CHICKENPOX_13=0.6, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1, SARE_SUB_6CONS_WORD=0.356, URIBL_BLACK=20, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MP08JpfqX+uJ for <v6ops@ietfa.amsl.com>; Sun, 17 Jun 2012 02:29:07 -0700 (PDT)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id 20DB421F85CC for <v6ops@ietf.org>; Sun, 17 Jun 2012 02:29:06 -0700 (PDT)
Received: by eaaq13 with SMTP id q13so1420591eaa.31 for <v6ops@ietf.org>; Sun, 17 Jun 2012 02:29:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=wlXb8/pYXoZ7PS75ZvRK6CSwv21HuKdc/h2spFHzqok=; b=mry1BOmp3oueVOEMz4LBlFeob74eYqkNiIam4UuGRrdP/jdBw188VFPoLd++2VY+BM J6XP8kB1nfNWnPywgRcpV3jCBYTTuYZd4/E9rguBdYJXt5ixofLoctzl6OkE3Yyparbv LE7/J/zwFznFP4jakZdzMmGSdGv/LdEoaQ/F7EEA46MBujy9H/kPvVncqLzDdGsUys8Y wUOUIBnXSQcnTtENjWz+DTGeEAqAnnJinvEs1oO/Du5mGOmg3RW2FKvvhiCLVU9bsLaS 8vjzwkW62OMuilNWLchWEOi7/evoW3rid/w5nKzoV0QffBrSzIWq854rw9kv3rNPClIB Fwxw==
Received: by 10.14.97.77 with SMTP id s53mr2569746eef.104.1339925345962; Sun, 17 Jun 2012 02:29:05 -0700 (PDT)
Received: from [192.168.1.66] (host-2-102-218-189.as13285.net. [2.102.218.189]) by mx.google.com with ESMTPS id y12sm48977277eem.7.2012.06.17.02.29.04 (version=SSLv3 cipher=OTHER); Sun, 17 Jun 2012 02:29:05 -0700 (PDT)
Message-ID: <4FDDA35E.9050701@gmail.com>
Date: Sun, 17 Jun 2012 10:29:02 +0100
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Ray Hunter <v6ops@globis.net>
References: <000301cd4801$1f059880$5d10c980$@asgard.org> <4FD8B188.1000403@globis.net> <002701cd4a3e$99e19ce0$cda4d6a0$@asgard.org> <4FDA19FC.1010606@globis.net>
In-Reply-To: <4FDA19FC.1010606@globis.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: 'IPv6 Operations' <v6ops@ietf.org>
Subject: Re: [v6ops] Enterprise Guidance on IPv6 (draft-chkpvc-enterprise-incremental-ipv6-00)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jun 2012 09:29:09 -0000

Re split DNS, someone pointed me at this interesting draft:
http://tools.ietf.org/html/draft-krishnaswamy-dnsop-dnssec-split-view

Not a popular topic in DNS land, of course.

Regards
   Brian

On 2012-06-14 18:06, Ray Hunter wrote:
> inline
>> Lee Howard <mailto:lee@asgard.org>
>> 14 June 2012 17:01
>>> -----Original Message-----
>>> From: Ray Hunter [mailto:v6ops@globis.net]
>>> Sent: Wednesday, June 13, 2012 11:28 AM
>>> To: Lee Howard
>>> Cc: 'Victor Kuarsingh'; 'IPv6 Operations'
>>> Subject: Re: [v6ops] Enterprise Guidance on IPv6
>>> (draft-chkpvc-enterprise-incremental-
>>> ipv6-00)
>>>
>>> Regardless of whether this draft is the vehicle or not, one thing
>>> that I think is missing is that
>>> large enterprises currently almost universally use some sort of
>>> centralized gateway or proxy
>>> to access the Internet, coupled with "split DNS" (whether the IETF
>>> likes that or not
>>
>> "Split DNS" meaning that different responses are returned depending on
>> whether the query
>> comes from within the enterprise or from outside?
>> For instance, an employee can reach ACCOUNTING.EXAMPLE.COM internally,
>> because the
>> name server returns a net 10 address, but a query from outside receives
>> NXDOMAIN?
> I believe "Split DNS" can mean several things, which is why I placed it
> in quotes.
> 
> I don't think Split DNS was ever acknowledged as a standard. But it is
> widely deployed in enterprises AFAIK. One reason was to mitigate against
> cache poisoning. Another was to be able to use DNS with RFC1918
> addresses before this was supported on common implementations. Another
> was just so that internal name and address space was completely private
> in manufacturing environments. Another was for test & development
> environments. Another was so that dynamically updated names in AD could
> remain relatively secure from external interference.
> 
> So the namespace can be split, or the transport, or both.
> 
> I believe I've seen:
> 
> 1) internal hidden servers that serve different zones internally as the
> external servers. These internal hidden masters may be used to source
> zone transfers to sacrificial external slave servers that serve a subset
> of the namespace. So ext.example.com may be served externally, but
> int.example.com may be restricted to the internal servers (simply by not
> having the secondary zone configured on the external server). The
> internal servers may or may not be able to resolve Internet names
> (sometimes via a proxy DNS setup) Here we have a split namespace, and
> potentially a split transport (depending on how internal hosts resolve
> external addresses)
> 
> 2) A single set of DNS servers that serve different answers based on
> some parameter from the query e.g. a single DNS server using BIND
> "views" to provide an answer for accounting.example.com based on the
> source address of the query matching an on-enterprise-net pattern, that
> is not resolvable for off-enterprise-net addresses. Here we're clearly
> talking about split namespace, but contiguous transport.
> 
> 3) Completely separate internal and external servers serving the same
> logical zone but with different content and sometimes managed completely
> separately e.g. www.example.com hosted externally at a hosting provider
> for a corporate website for public consumption, and a separate
> employee's version of the same website iww.example.com hosted internally
> by the IT department. The external DNS servers may have an Internet
> hints file and a be managed by the hosting provider. The internal DNS
> servers may have a (fake) master root zone and be managed by the IT
> department. Internal hosts normally will not be able to resolve
> www.external.com or www.example.com and are pointed to an appropriate
> web proxy via a proxy pac file. Here we're talking about split namespace
> and split transport. Sometimes there may even be conflicting or
> overlapping namespace.
> 
> 4) Completely fictitious internal A record entries for trusted 3rd party
> companies where there is a private link between the two companies
> together with a contractual agreement defining responsibilities e.g. for
> B2B transactions or for managing outsourced systems, or providing
> outsourced services to example.com. This is just a horrible kludge.
> 
> 5) Equivalent of a .local namespace for dev, test & production. So
> there'd be overlapping address space for hostname-x.dev.company.com
> hostname-x.test.company.com hostname-x.production.company.com. As
> software moved from one environment to the next, all that was changed
> was the DNS default search domain (no machine renumbering needed in
> order to avoid problems with high availability scripts having to be
> edited). Some people even used identical setups for all 3 environments
> (identical names, addresses & domains) to avoid changing anything as
> solutions were transported between environments (via hard media).
> 
> 6) Manufacturing environments that were meant to be completely isolated
> (yes I know) that use private RFC1918 IP space.
> 
> Don't shoot the messenger.
>>> Many enterprises have expressed a desire to become "Internet Centric"
>>> whatever that is. They're also moving very rapidly to cloud services for
>> generic applications.
>>> However, they'll still need private enterprise networks with SLAs for
>>> many
>> other business
>>> critical services ad interim, at least until the generic Internet
>>> supports
>> an equivalent of
>>> Diffserv.
>>> Multiple IPv6 addresses per node, with a combination of PI space for the
>> enterprise network
>>> and PA space fromlocal providers, is making direct proxy-free nat-free
>> local Internet
>>> breakout potentially possible (together with MIF and appropriate address
>> selection).
>>> DNSSEC is also potentially attractive to facilitate/ restore a basic end
>> to end trust model.
>>> So I think we know where we're starting, and I think we know where we
>>> end
>> up, but is there
>>> any operational advice available on the steps that would be required to
>> e.g. "unsplit DNS"
>>> (and remove proxies) when introducing IPv6?
>>
>> What changes?  You can still return NXDOMAIN if you don't like the
>> querier.
>> Or you can
>> respond with a AAAA and rely on your security to protect your accounting
>> system.
> You're assuming that the transport has always been contiguous between
> internal and external hosts and DNS servers,  and that there is a single
> consistent set of authoritative name servers for a common Worldwide
> namespace. That is rarely the case AFAIK.
>>> In other words, how do we restore the end to end model without breaking
>> stuff on the way?
>>
>> I may be misunderstanding you, though, since I'm not sure how the
>> end-to-end
>> principle
>> applies to this DNS setup.
>> Yes, GUA addressing makes it possible to eliminate NAT, but whether
>> enterprises eliminate
>> proxies depends on their policy reasons for implementing them in the
>> first
>> place.
>>
>> What should we say about all this?
> It's relatively easily to define a flexible PI based IPv6 addressing
> plan so that return routes can be de-aggregated as necessary (based on
> Internet latency) as the number of direct Internet gateways grows. That
> might be a useful hint for enterprises as they remove proxies and
> increase local breakout.
> 
> But I really don't know at the moment what's the best roadmap for
> migrating the DNS and the namespace to being "Internet centric", which
> is why I asked the WG ;)
> 
> It could get very complex because you can learn or leak IPv4 information
> (e.g. RFC1918 addresses, private namespace, or conflicting namespace)
> over an IPv6 transport connection (which will be end-to-end
> transparent), but which would not be transported over an IPv4 connection
> (the IPv4 transport either never existed, was DNS forwarded or proxied,
> or was NATted). Then add caching and mobile end nodes into the mix.
> 
> I suspect it will be quite easy for enterprises to paint themselves into
> a corner, if they haven't already. And if they already have, what do
> they do?
> 
> regards,
> RayH
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email