Ran, I think you're missing the point. What I am suggesting is that the routers, which learn DNS servers via DHCPv6 or RDNSS, can pass around those DNS servers inside the routing protocol that runs in the homenet. The hosts would then get the information from the routers using DHCPv6 or RDNSS, just like they do today.
The routing protocol can be secured in the usual ways that routing protocols are secured (e.g., using MD5 secrets). I really don't see what security issues this introduces. Cheers, Lorenzo On Sat, Oct 27, 2012 at 12:59 AM, RJ Atkinson <[email protected]> wrote: > > On 25 Oct 2012, at 20:33 , Lorenzo Colitti wrote: > >> I'm also nervous about both DNS authorisation > >> and DNS authentication. Who is allowed to make > >> which DNS advertisements and how do I authenticate > >> the received DNS advertisement as both valid and > >> authorised ? > >> > > > > I don't see a difference. There is no authorisation or > > authentication today. When you get a DNS server via DHCP, > > you believe it, or choose not to believe it, > > based on no information at all. > > 1) DHCP Authentication is standardised. [RFC 3118] > Multiple implementations of DHCP Authentication exist. > So this can be deployed/used in environments where > DHCP Authentication is deemed sensible. > > 2) DNS Security is standardised. [RFC 4033 et alia]. > Multiple implementations of DNSsec exist. Deployment > of DNSsec is growing much faster than initially > expected. So this can be deployed/used in environments > where DNS Authentication is deemed sensible. > > 3) It appears that DNSsec still can be used with mDNS. > So again, this can be deployed/used in environments > where DNS authentication is deemed sensible. > > So, a proposal with no capability to authenticate > information, or address authorisation issues, seems > very much like a non-starter. At the very least, > authentication needs to be specified/available, > and the authorisation issues need to be addressed. > > > If there's a rogue DHCP server on the link that hands you > > a rogue DNS server, then guess what, you lose. > > This is not true if DHCP Authentication has been deployed. > Instead, the quote above is a very good supporting justification > for comments that we need to specify mechanisms both that > can provide authentication and do address authorisation issues. > > > (From a different, purely practical, perspective) > > I would guess that any proposal with less security capability > than we have today (i.e. with DHCP Authentication, DNSsec) > would be rejected by the IETF Security Area when they perform > their Area Review (which is usual prior to IESG approval > of any IETF track document). > > Yours, > > Ran > > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet >
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
