Re: Radical Surgery proposal: stop doing reverse for IPv6.

[JINMEI Tatuya / $B?@L@C#:H(B <jinmei@isl.rdc.toshiba.co.jp>]

>>>>> On Wed, 26 Mar 2003 18:03:29 +0100, 
>>>>> Måns Nilsson <mansaxel@sunet.se> said:

>>> Security usage of reverse ...
>> 
>> Can we all really agree on this point?  I know many people in this
>> thread (regardless of their position about reverse mapping) said a
>> similar point, but I still see those who believe in the "security
>> benefit" of reverse mapping.

> I think people confuse "security" with "order". For instance, several IRC
> servers only let people in if forward and reverse match. This is just a
> simple test, just to see if the client in some fuzzy way comes from "the
> right side of the tracks". It does echo of "security", but it is really
> just a matter of "order". The same goes for ftp servers. 

As others pointed out, I admit the wording "security" was too broad.
However, I don't see difference between "security" and "order" in
terms of the tradeoffs between benefits and disadvantages.

>> Such approaches will include:
>> 
>> - wildcard reverse mapping for some upper zone
>> - ICMPv6 node information queries

> I think, to a certain extent, that these proposals are the result of the
> approach "Now we have a new IP version. Let's change everything that has
> annoyed us even a little bit, be it only from an æstethic point of view"
> which has shown itself in various places in discussions wrt IPv6. 

I see your frustration, but I'd respectfully say this is a subjective
argument that cannot make a productive result.  I, for one, have tried
to be rather conservative and not to propose changing existing
protocol/practices/implementations just because "we now have a new IP
version."  You may simply disagree, though.

> I argue that while the number of available addresses will be perceived as
> close to infinite when comparing v6 to v4, but I find it hard to believe
> that the number of hosts will increase 79228162514264337593543950336 
> (2^128 / 2^32) times as soon as we have v6 deployment. On the contrary, I
> believe that it will be gradual, pretty much as it was for v4, though I
> think it will be considerably faster. 

> Therefore, the present techniques will be adaptable to v6, and with
> increasing automation (dhcp/dns interaction, dynamic updates,
> autogeneration based on arp tables, and the old-fashioned
> $EDITOR-in-zonefile), what have you, will be sufficent until we know (as
> opposed to guessing) what number of hosts will be typically deployed. 

Probably they will, but this does not prohibit us from exploring a
"better" solution (at least for those who don't think the current
situation is best) that can be introduced gradually.

> IPv6 is not magic, it is just more address space. When will people
> understand? 

I don't know who are "people" or when the people will understand that,
but I've never believed or said IPv6 is a magic.  I've always
understood it is essentially just more address space (though there are
still some unique characteristics, of course.)

					JINMEI, Tatuya
					Communication Platform Lab.
					Corporate R&D Center, Toshiba Corp.
					jinmei@isl.rdc.toshiba.co.jp

#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.