[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPv6 Confusion
- Subject: IPv6 Confusion
- From: Mark_Andrews at isc.org (Mark Andrews)
- Date: Wed, 18 Feb 2009 12:55:53 +1100
- In-reply-to: Your message of "Tue, 17 Feb 2009 15:20:39 -1000." <[email protected]>
In message <33415E7E-23F2-45F2-9281-AB1685DEE4CE at virtualized.org>, David Conrad
writes:
>
> On Feb 17, 2009, at 1:55 PM, Mark Andrews wrote:
> >> (which was never fully
> >> thought out -- how does a autoconfig'd device get a DNS name
> >> associated with their address in a DNSSEC-signed world again?) and
> >> letting network operators use DHCP with IPv6 the way they do with
> >> IPv4.
> > David you know as well as I do that DNSSEC is a orthognal
> > issue here.
>
> My understanding, which may well be wrong, is that:
>
> - stateless auto-configuration assumes the client will update the
> address to name association once it has obtained the address.
> - In order to do this, the DNS server needs to support Dynamic DNS.
> - If DNSSEC is in use, it requires the use of on-line signing keys.
> - Security folks get unhappy when you mention on-line signing keys.
Security is about managing risk not eleminating all risks
as that is a unobtainable goal. Security folks that don't
understand that don't understand their jobs.
> Solution?
>
> - Don't have address to name associations
> - Don't worry about (or accept lesser) security on address to name
> associations.
DNSSEC is design to work with off-line signing if that is
the security level you require. It doesn't however require
off-line signing.
A HSM which just prevents access to the private key is more
than enough for most deployment senarios.
> Of course the DNSSEC bit is sort of moot, as I suspect there aren't a
> whole lot of ISPs in a position to support dynamic updates from
> clients...
Actually I suspect they are all in a position to do so as
the software to do this was deployed by the major vendors
last century.
What it takes is for them to move from the arcane dialup
model where there was not point in doing this to the
semi-static model where there is a point in letting the
leasees have the ability to record the names of their
machines in the DNS. In otherwords ISP's need to enter the
21st century.
Mark
> Regards,
> -drc
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org