--On Monday, September 08, 2003 23:42 +0200 Iljitsch van Beijnum <[EMAIL PROTECTED]> wrote:
Let's first discuss a). The draft says that unique local addresses (ULAs) must not show up the global/public DNS so two-faced DNS must be used for these addresses. But how is a DNS server supposed to know whether the other end can reach the ULAs in question? Consider the situation where two organizations with their own ULA space merge. Hosts continue to have ULAs as before, but now there is a second range of ULA space that is reachable. But how does the DNS for organization A know that the resolving DNS for organization B should know the ULAs, as DNS B arrives at DNS A through the usual root, TLD and so on route, where only globally routable addresses are used.
Finally, there is mention of using ULAs for VPNs. That makes no sense. If you use ULAs for a VPN, this means you can't reach the rest of the world over your VPN so you must do so using the unprotected connectivity that underlies the VPN. This is a huge security hole. VPNs should use regular routable address space.
From what I have seen, these two are related and workable:
The use of VPNs it seems to me was mentioned when multiple organizations or multiple sites use local addressing; the VPN tunnels use global addresses, the "inner" packets use local addressing. Once you do that, you can connect the DNS servers so Org A and B query each others "internal" servers.
Hans Kruse, Associate Professor J. Warren McClure School of Communication Systems Management Adjunct Associate Professor of Electrical Engineering and Computer Science Ohio University, Athens, OH, 45701 740-593-4891 voice, 740-593-4889 fax -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
