To:
Keith Moore <moore@cs.utk.edu>
cc:
ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Wed, 08 Aug 2001 21:44:48 +0700
In-Reply-To:
<200108081308.JAA12968@astro.cs.utk.edu>
Sender:
owner-dnsop@cafax.se
Subject:
Re: (ngtrans) Joint DNSEXT & NGTRANS summary
Date: Wed, 08 Aug 2001 09:08:37 -0400
From: Keith Moore <moore@cs.utk.edu>
Message-ID: <200108081308.JAA12968@astro.cs.utk.edu>
| if you use NATs to renumber, when you change prefixes the only thing
| you change is the NAT.
This is only true if you only consider your own work. When you change
addresses though, lots of other people need to update their firewall
configurations, etc.
The recent message on the ipng list from Isaac Aldrin (and apologies if
I inverted that name - the mail headers weren't clear...) shows that
quite clearly - a major problem is notifying your peers of the new address
and having them update their configurations.
Of course, A6 doesn't solve that problem, though its use might make it
a little simpler. That is, if have an A6 record that defines my network
prefix, that I refer to from the A6 records for all my host names, etc,
then I can tell my peer sites that they can use that same A6 record to
configure their firewalls (and they can verify it using dnssec, etc).
Then, when my addresses change, which I make known in the DNS by updating
my prefix A6 record, your firewall should be able to automatically
update itself.
Assuming I'm sane (and the circumstances allow), I'll have two different
prefixes for a while, both would be made known from the same prefix name
in the DNS, your firewall would then allow both through during the
transition - when the old address expires, your firewall will automatically
stop allowing that old address in.
I'd hate to think how many IPv4 firewalls exist that have IP addresses
configured in them, where the owner (user) of the IPv4 address now is
completely unrelated to the user at the time the firewall was configured.
It's possible to achieve all this with AAAA as well, I could have an AAAA
record that defines my prefix, but that would be used by nothing that I
care about, so it would require real discipline to remember to keep that
one updated. On the other hand, the A6 record would be referred to by
most other A6 records in the zone file - that's one of the few that would
need to be touched by a renumbering, so you can be fairly sure that
updating it will never be forgotten.
| if you renumber using IPv6, all of that state in routers, firewalls,
| hosts, applications, etc has to change somehow, and it has to change
| with minimal disruption of service. A6 only addresses one part of that.
This is certainly true. I don't think anyone is claiming that A6
solves any problems of itself. What it does is remove a part of one
impediment to getting a solution. That doesn't sound like much, and
it probably isn't ... but I'd rather not have that impediment, than
have to deal with it forever.
| renumbering is a hard problem.
That's certainly true too.
kre