PTR records for IPv6
Dan Wing
dwing at cisco.com
Thu Sep 5 18:13:53 CEST 2013
On Sep 5, 2013, at 7:20 AM, S.P.Zeidler <spz at serpens.de> wrote:
> Thus wrote Dan Wing (dwing at cisco.com):
>
>> On Sep 4, 2013, at 4:43 AM, S.P.Zeidler <spz at serpens.de> wrote:
> [...]
>>>
>>> In an IPv6 world, network services (aka, smtp, http, dns, .. servers)
>>> should -always- be bound (and bindable) to specific addresses both for
>>> incoming and outgoing connections.
>>
>> Some more precision around that statement would be useful, perhaps an Internet Draft to provide guidance to developers for when to choose a privacy address or the primary address.
>
> I would like to ask application developers to make it configurable.
> I'm a server admin most of my time and I like a combination of reasonable
> default and the ability to change it best. Of course that leaves the
> question what a reasonable default is. :)
Yes. Perhaps there is a place for suggesting such a default to ease network operations.
> Note that with server configurations, you positively need to be able
> to pick an address anyway, since "the primary address" may not exist,
> instead you have a dozen public addresses to pick from. In my work
> context, I think all servers have at least 3 static addresses, and even in
> my for-fun context multiple published public addresses per server
> are quite common.
>
>> Choosing DNS from your list as one example, using privacy addresses would for a query would add more bits of randomness, which DNS has been struggling to add since the Kaminsky attack (randomized source port, draft-vixie-dnsext-dns0x20, and other approaches).
>
> Good point. DNS queries thus should probably default to a privacy address.
> Another example of an application where the default probably should be
> a privacy address even if that is not the system default (but privacy
> addresses are available) are web browsers.
Several of our enterprise customers are unhappy with privacy addresses for internal traffic -- including from browsers -- because tooling and some switch/router features make auditing more difficult. Existing tools, derived from IPv4 tools, assume a host has one IP address and when IPv6 support was added to the tool it just bumped the field from 32 bits with dots to 128 bits with colons, but many tools did not change their underlying architecture (to learn about privacy address from the local switch) or their database design (to associate multiple IPv6 addresses with a single host). This is a maturity issue. To be fair to the tools and the hardware, privacy addresses are "new" and only started being exercised significantly by OS X and iOS about a year ago; Windows 7 and 8 are much less aggressive with spinning up new privacy addresses.
> How about "if you expect anonymous connections to be ok, or if you expect
> to authenticate to the server/peer by a means different than your address,
> use a privacy address"?
>
> Also, "if you expect the server/peer to have a reasonable requirement
> for trackability, or of weakly authenticating the connection via your
> address, use a public address".
>
> Thus, the reasonable default on a workstation is "privacy address" and on
> a server is "public address", but on both for select applications it might
> be the other, and you should be able to override it.
Seems a good start.
-d
> regards,
> spz
> --
> spz at serpens.de (S.P.Zeidler)
More information about the ipv6-ops
mailing list