IPv6 Confusion

Mark_Andrews1 · February 17, 2009, 11:55pm

> Approach IPv6 as a new and different protocol.

Unfortunately, I gather this isn't what end users or network operators
want or expect. I suspect if we want to make real inroads towards
IPv6 deployment, we'll need to spend a bit more time making IPv6 look,
taste, and feel like IPv4 and less time berating folks for "IPv4-
think" (not that you do this, but others here do). For example,
getting over the stateless autoconfig religion (which was never fully
thought out -- how does a autoconfig'd device get a DNS name
associated with their address in a DNSSEC-signed world again?) and
letting network operators use DHCP with IPv6 the way they do with IPv4.

David you know as well as I do that DNSSEC is a orthognal
issue here.

  The first issue is how do you assign a name to a object?
  The second issue is how do you add that name to the DNS?
  The third issue is how do you sign that change?

  I solve it by give the machine a name. Adding a KEY record
  at that name to the DNS, the private part the machine knows.
  I then use SIG(0) to update the address records of the
  machine whenever the addresses change. The DNS server that
  accepts that update generated new RRSIGs for the records
  affected by that change and the zone propogates out to the
  servers using NOTIFY.

  I update the reverse PTR records using tcp-self as the
  authentication mechanism. tcp-self is weak but is strong
  enough for the level of trust assigned to PTR records.
  Again the DNS server generates appropriate signatures.

The machine's name is not tied to the network on which it
lives.

Mark

Valdis_Kletnieks · February 18, 2009, 12:42am

I think the issue is that the machine in question may not know its own hostname
to start, much less that dnssec is in use, or that a private key is supposed to
be remembered on the machine. So there's a bit of a bootstrapping problem
there.

Of course, you can skip over that issue by letting the DHCP server do
the DNS updates as a proxy for the just-DHCP'ed machine, but that has
other issues...

(or just pre-populate the DNS with DHCP-2001-9A98-D247-{5more}.ISP.com and be
done with it like many places do for IPv4)

David_Conrad3 · February 18, 2009, 1:20am

My understanding, which may well be wrong, is that:

- stateless auto-configuration assumes the client will update the address to name association once it has obtained the address.
- In order to do this, the DNS server needs to support Dynamic DNS.
- If DNSSEC is in use, it requires the use of on-line signing keys.
- Security folks get unhappy when you mention on-line signing keys.

Solution?

- Don't have address to name associations
- Don't worry about (or accept lesser) security on address to name associations.

Of course the DNSSEC bit is sort of moot, as I suspect there aren't a whole lot of ISPs in a position to support dynamic updates from clients...

Regards,
-drc