>>>>> On Wed, 26 Jun 2002 22:11:11 +0300 (EEST),
>>>>> Pekka Savola <[EMAIL PROTECTED]> said:
>> In my understanding, the threat imposed by malicious responses to
>> ICMPv6 node information query (Qtype = node name) is equal to
>> setting up DNS PTR records without forward zone administrators'
>> knowing. For instance, anyone can set up DNS PTR records that returns
>> "www.ietf.org". Similarly, anyone can respond with ICMPv6 node
>> information reply with "www.ietf.org".
> That anyone setting DNS PTR records must be the administrator of an IP
> address block, and that IP address block must have been assigned to him.
> Seems like a big difference IMO.
It's true, but please concentrate on the main point of this discussion.
The point, IMO, is that even DNS PTR responses are not reliable enough
for access control purposes, as described in
draft-ietf-dnsop-inaddr-required-03.txt. With this fact it does not
matter that DNS PTRs are much more reliable than node information
replies. We can only use the responses/replies just as a hint anyway.
(DNSSEC may change the difference significantly, but it is not widely
deployed at least for now.)
In my understanding, the IESG comments do not oppose to using node
information replies as a replacement/alternative of (insecure) DNS
PTRs. They just suggest better wording about the applicability and
implication. I think the comment is reasonable.
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
