To:
"D. J. Bernstein" <djb@cr.yp.to>
Cc:
ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
Matt Crawford <crawdad@fnal.gov>
Date:
Sun, 22 Jul 2001 14:31:31 -0500
In-reply-to:
"21 Jul 2001 04:14:22 -0000." <20010721041422.31726.qmail@cr.yp.to>
Sender:
crawdad@gungnir.fnal.gov
Subject:
Re: NGtrans - DNSext joint meeting, call for participation
> Matt Crawford writes: > > So if it's all right for your > > interface ID and/or subnet information to persist for a month, but > > you want to be able to change your global prefix(es) on a day's > > notice, you get a 30-to-1 work savings on almost all of your RRsets. > > No. Under your one-month assumption, all records will be signed at least > once a month, to eliminate the expiration-date security problem. The > extra signings for renumbering happen only when renumbering happens. > > If we have 10000 30-day-notice MAC addresses with a 1-day-notice prefix, > for example, and we have three renumberings over the next twenty years, > the difference between AAAA and A6 is the difference between 2465000 > signings and 2442305 signings. Where's the 30-to-1 savings? It's in the arithmetic, which I will do for you. If you'll permit, I'll round off to 360 days per year to make everything transparent. Scenario AAAA: sign every RRset every day for 20 years. 10,000 x 360 x 20 = 72,000,000 Scenario A6: sign the suffix RRsets 12 times a year for 20 years, sign the one prefix RRset every day for 20 years. ( 10,000 x 12 x 20 ) + ( 1 x 360 x 20 ) = 2,407,200 Ratio: 29.91 to 1. This reminds me of a previous argument. > Put differently: You've been saying that it's painfully expensive to > sign every record. Some may have said that, but I didn't. > But now you're admitting that this has to be done at least a dozen > times every year! You seem surprised. > Of course, the other serious problem with your argument is that your > one-month assumption is wrong. It is _not_ acceptable for information to > persist for a month. Sometimes yes, sometimes no. With A6 you get to treat parts differently, according to their needs. (And to whoever it was, not Dan, I think, who said you can't override the MAC address on some hardware: that's utterly irrelevant. You don't need to autoconfigure your address and even if you do, you don't need to use only that address.)