To:
dnsop@cafax.se
From:
Rob Austein <sra+dnsop@hactrn.net>
Date:
Wed, 26 Mar 2003 13:08:32 -0500
In-Reply-To:
<y7visu6sp7f.wl@ocean.jinmei.org>
Sender:
owner-dnsop@cafax.se
User-Agent:
Wanderlust/2.8.1 (Something) Emacs/20.7 Mule/4.0 (HANANOEN)
Subject:
What problem were we trying to solve again? (was Re: Radical Surgery proposal: stop doing reverse for IPv6.)
Call me old fashioned, but I prefer to know what problem I'm trying to solve before chatting about solutions. George's original problem, paraphrased, was "the RIRs are putting some work into maintaining reverse trees, and would like to know whether anybody thinks this is useful." The answer boiled down to "yes, some people think that this is useful." Jimmei appears to be asking a different question, but I haven't yet figured out quite what it is. Jinmei? Attempting to respond to one specific point in Jinmei's message: At Wed, 26 Mar 2003 13:53:56 +0900, JINMEI Tatuya wrote: > > > Security usage of reverse is so absurd (given that DNNSEC will not help if > > someone tries to put another domain as RDATA in PTR records) that it is > > irrelevant. > > Can we all really agree on this point? I know many people in this > thread (regardless of their position about reverse mapping) said a > similar point, but I still see those who believe in the "security > benefit" of reverse mapping. It's more complicated than that. The fundamental problem is lack of a clear authorization model for use of IP addresses (v4 or v6, doesn't matter). What we have now is a mixture of two models: 1) Net admin assigns addresses, either manually or via a protocol like DHCP (and perhaps using some enforcement mechanism to restrict usage to authorized nodes, but probably not); 2) Node performs some kind of "seize and defend" operation, whether through some kind of autoconf mechanism or manual configuration. It's just barely possible that some of the work coming out of the SEND (Securing Neighbor Discovery) WG will give us a third model for IPv6, but that work isn't very far along yet and I might just be confused. Various people have observed that while it's theoretically possible for a node to prove that it has control over a DNS name (put a public key at the name, node proves it has corresponding private key), this does not solve the reverse tree problem in the general case, because of the difficulty of demonstrating that some otherwise unknown node is the authorized user of a particular IP address. So while the general case is hard, there are certain situations in which it is possible to put signed data into the reverse tree and have some assurance that the data is correct (eg: model 1 above, using the DHCP authentication model, which works in some cases but which has known has scaling and mobility problems). Whether such data is useful in the cases where it is possible is another of those local usage questions that led us down the previous rathole. See also the IPSECKEY WG for another example of signed data that it may be useful to put into the reverse tree. YMMV. Last, note that the authorization model for address prefixes isn't as hopeless as the authorization model for addresses. Whether that's a useful distinction depends on what problem we're trying to solve. --Rob #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.