To:
dnsop@cafax.se
From:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date:
Thu, 17 Jul 2003 12:51:59 +0200
In-reply-to:
Your message of "Wed, 16 Jul 2003 18:04:20 BST." <20030716170420.GH3731@login.ecs.soton.ac.uk>
Sender:
owner-dnsop@cafax.se
Subject:
Re: TR : Stepping back on the DNS discovery discussion
-----BEGIN PGP SIGNED MESSAGE----- >>>>> "Tim" == Tim Chown <tjc@ecs.soton.ac.uk> writes: Tim> So where do you draw the boundary between "network device Tim> autoconfiguration" Tim> and "service discovery". For IPv4, you (manually or via DHCP) Tim> configure Tim> IPv4 address, netmask, gateway and DNS resolver(s) as the "basic" Tim> four components to be able to get up and running. In IPv6, when Tim> using stateless That's all you need *TODAY*. Given only those things, you are completely insecure. Anyone can spoof your MAC address or IP address, anyone can feed to bad data, or spoof the MAC of the nexthop router, etc. If you just want IPv6 to be IPv4-with-bigger-addresses, then fine, add DNS info to the RA. But, NATv4 works just as well for many people. While some people feel that the location of the nearest print server isn't critical information - it *is* if you run a print shop, and I arrive in to print things. In fact, the location of the print server might be more important than the gateway!!!! It is all in the eye of the beholder. If you want to be useful, then we need all of the other things that we have been doing with DHCPv4 for years to be available reliably. This means many other things too. Put the address of the DHCPv6 server in the RA, if you want to put anything in the RA. I know that there are ways to address it otherwise as well. ] At IETF57 in Wien, Austria | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] printk("Just another Debian GNU/Linux using, kernel hacking, security guy");[ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Finger me for keys iQCVAwUBPxZ/zoqHRg3pndX9AQGZ2QQAgUD6f2fgKwnVRP+RJoBTrVf1EXtwMEw2 sEZLfj1ucMCKumCtQJgNq5gTTiAJo7waYAezaY6fPgzWISmV9eWlUuVKqIj3Dus6 rrbWy0uZF80PtR935bVyZAw8QKIWzofD4c8eACz4AnH/GX5XWYacLuin4NZ0Z30Z Fkpbhscz+BU= =umqV -----END PGP SIGNATURE----- #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.