PTR records for IPv6

S.P.Zeidler spz at serpens.de
Thu Sep 5 16:20:48 CEST 2013


Thus wrote Dan Wing (dwing at cisco.com):

> On Sep 4, 2013, at 4:43 AM, S.P.Zeidler <spz at serpens.de> wrote:
[...]
> > 
> > In an IPv6 world, network services (aka, smtp, http, dns, .. servers)
> > should -always- be bound (and bindable) to specific addresses both for
> > incoming and outgoing connections.
> 
> Some more precision around that statement would be useful, perhaps an Internet Draft to provide guidance to developers for when to choose a privacy address or the primary address.

I would like to ask application developers to make it configurable.
I'm a server admin most of my time and I like a combination of reasonable
default and the ability to change it best. Of course that leaves the
question what a reasonable default is. :)

Note that with server configurations, you positively need to be able
to pick an address anyway, since "the primary address" may not exist,
instead you have a dozen public addresses to pick from. In my work
context, I think all servers have at least 3 static addresses, and even in
my for-fun context multiple published public addresses per server
are quite common.

> Choosing DNS from your list as one example, using privacy addresses would for a query would add more bits of randomness, which DNS has been struggling to add since the Kaminsky attack (randomized source port, draft-vixie-dnsext-dns0x20, and other approaches).

Good point. DNS queries thus should probably default to a privacy address.
Another example of an application where the default probably should be
a privacy address even if that is not the system default (but privacy
addresses are available) are web browsers.

How about "if you expect anonymous connections to be ok, or if you expect
to authenticate to the server/peer by a means different than your address,
use a privacy address"?

Also, "if you expect the server/peer to have a reasonable requirement
for trackability, or of weakly authenticating the connection via your
address, use a public address".

Thus, the reasonable default on a workstation is "privacy address" and on
a server is "public address", but on both for select applications it might
be the other, and you should be able to override it.

regards,
	spz
-- 
spz at serpens.de (S.P.Zeidler)



More information about the ipv6-ops mailing list