To:
Keith Moore <moore@cs.utk.edu>
cc:
ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Wed, 08 Aug 2001 21:44:48 +0700
In-Reply-To:
<200108081308.JAA12968@astro.cs.utk.edu>
Sender:
owner-dnsop@cafax.se
Subject:
Re: (ngtrans) Joint DNSEXT & NGTRANS summary
Date: Wed, 08 Aug 2001 09:08:37 -0400 From: Keith Moore <moore@cs.utk.edu> Message-ID: <200108081308.JAA12968@astro.cs.utk.edu> | if you use NATs to renumber, when you change prefixes the only thing | you change is the NAT. This is only true if you only consider your own work. When you change addresses though, lots of other people need to update their firewall configurations, etc. The recent message on the ipng list from Isaac Aldrin (and apologies if I inverted that name - the mail headers weren't clear...) shows that quite clearly - a major problem is notifying your peers of the new address and having them update their configurations. Of course, A6 doesn't solve that problem, though its use might make it a little simpler. That is, if have an A6 record that defines my network prefix, that I refer to from the A6 records for all my host names, etc, then I can tell my peer sites that they can use that same A6 record to configure their firewalls (and they can verify it using dnssec, etc). Then, when my addresses change, which I make known in the DNS by updating my prefix A6 record, your firewall should be able to automatically update itself. Assuming I'm sane (and the circumstances allow), I'll have two different prefixes for a while, both would be made known from the same prefix name in the DNS, your firewall would then allow both through during the transition - when the old address expires, your firewall will automatically stop allowing that old address in. I'd hate to think how many IPv4 firewalls exist that have IP addresses configured in them, where the owner (user) of the IPv4 address now is completely unrelated to the user at the time the firewall was configured. It's possible to achieve all this with AAAA as well, I could have an AAAA record that defines my prefix, but that would be used by nothing that I care about, so it would require real discipline to remember to keep that one updated. On the other hand, the A6 record would be referred to by most other A6 records in the zone file - that's one of the few that would need to be touched by a renumbering, so you can be fairly sure that updating it will never be forgotten. | if you renumber using IPv6, all of that state in routers, firewalls, | hosts, applications, etc has to change somehow, and it has to change | with minimal disruption of service. A6 only addresses one part of that. This is certainly true. I don't think anyone is claiming that A6 solves any problems of itself. What it does is remove a part of one impediment to getting a solution. That doesn't sound like much, and it probably isn't ... but I'd rather not have that impediment, than have to deal with it forever. | renumbering is a hard problem. That's certainly true too. kre