What problem were we trying to solve again? (was Re: Radical Surgery proposal: stop doing reverse for IPv6.)

[Rob Austein <sra+dnsop@hactrn.net>]

Call me old fashioned, but I prefer to know what problem I'm trying to
solve before chatting about solutions.

George's original problem, paraphrased, was "the RIRs are putting some
work into maintaining reverse trees, and would like to know whether
anybody thinks this is useful."  The answer boiled down to "yes, some
people think that this is useful."

Jimmei appears to be asking a different question, but I haven't yet
figured out quite what it is.  Jinmei?

Attempting to respond to one specific point in Jinmei's message:

At Wed, 26 Mar 2003 13:53:56 +0900, JINMEI Tatuya wrote:
> 
> > Security usage of reverse is so absurd (given that DNNSEC will not help if
> > someone tries to put another domain as RDATA in PTR records) that it is
> > irrelevant. 
> 
> Can we all really agree on this point?  I know many people in this
> thread (regardless of their position about reverse mapping) said a
> similar point, but I still see those who believe in the "security
> benefit" of reverse mapping.

It's more complicated than that.  The fundamental problem is lack of a
clear authorization model for use of IP addresses (v4 or v6, doesn't
matter).  What we have now is a mixture of two models:

1) Net admin assigns addresses, either manually or via a protocol like
   DHCP (and perhaps using some enforcement mechanism to restrict
   usage to authorized nodes, but probably not);

2) Node performs some kind of "seize and defend" operation, whether
   through some kind of autoconf mechanism or manual configuration.

It's just barely possible that some of the work coming out of the SEND
(Securing Neighbor Discovery) WG will give us a third model for IPv6,
but that work isn't very far along yet and I might just be confused.

Various people have observed that while it's theoretically possible
for a node to prove that it has control over a DNS name (put a public
key at the name, node proves it has corresponding private key), this
does not solve the reverse tree problem in the general case, because
of the difficulty of demonstrating that some otherwise unknown node is
the authorized user of a particular IP address.

So while the general case is hard, there are certain situations in
which it is possible to put signed data into the reverse tree and have
some assurance that the data is correct (eg: model 1 above, using the
DHCP authentication model, which works in some cases but which has
known has scaling and mobility problems).

Whether such data is useful in the cases where it is possible is
another of those local usage questions that led us down the previous
rathole.

See also the IPSECKEY WG for another example of signed data that it
may be useful to put into the reverse tree.  YMMV.

Last, note that the authorization model for address prefixes isn't
as hopeless as the authorization model for addresses.  Whether that's
a useful distinction depends on what problem we're trying to solve.

--Rob
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.