Iljitsch van Beijnum wrote: > > The discussion about draft-ietf-ipv6-unique-local-addr-00.txt bothers > me. > > First of all, what are we talking about here? I see two needs: > > a) the need for stable addresses > b) the need for private addresses > > Let's first discuss a). The draft says that unique local addresses > (ULAs) must not show up the global/public DNS so two-faced DNS must be > used for these addresses. But how is a DNS server supposed to know > whether the other end can reach the ULAs in question? Consider the > situation where two organizations with their own ULA space merge. Hosts > continue to have ULAs as before, but now there is a second range of ULA > space that is reachable. But how does the DNS for organization A know > that the resolving DNS for organization B should know the ULAs, as DNS > B arrives at DNS A through the usual root, TLD and so on route, where > only globally routable addresses are used.
When you merge two organisations that are both running 2 faced DNS, you have to merge the two DNS setups at the same time as you merge the internal routing domains. There's no way out of that, but when you perform the merge, the difficulty you describe goes away, and although there is manual work, it is vastly less than if you had to merge two FEC0::/10s or two net 10s. > I see only two solutions: huge amounts of manual configuration, or > having the ULAs in the DNS, but not using them unless you have a route > for them. This of course requires that all reachable ULA ranges are > advertised to all hosts using an IGP. Of course. The IGP by definition knows all about the ULA prefixes. > > The there is b). Obviously b) assumes a). However, a) certainly DOES > NOT imply b). I'm afraid many people will prove to be incapable of > making the distinction and end up creating a big old mess for > themselves. There is scope for an O'Riley book here, indeed. > It also occurs to me that using the routing system as > access control isn't the best idea ever. Agreed, but it's the best idea we have. > Maybe it makes sense to set > aside a range of private port numbers rather than a range of private > addresses? (Simply filtering a single range of private ports in the > network would certainly have made my life easier with all those worms.) Given that large transaction processing systems occasionally run out of dynamic ports, I don't think this would fly. And port-agile worms are hardly unknown. > > Finally, there is mention of using ULAs for VPNs. That makes no sense. > If you use ULAs for a VPN, this means you can't reach the rest of the > world over your VPN so you must do so using the unprotected > connectivity that underlies the VPN. No. As Hans indicated, this is for establishing multiple VPNs with multiple business partners, quite independently of how you reach the global Internet. > This is a huge security hole. VPNs > should use regular routable address space. That's a complete non-sequitur. The fact that I run 100 VPNs in ULA space has no relevance to the security or insecurity of my traffic to or from global space. > > BTW, we can probably repeat the entire discussion as soon as there is a > locator/identifier separation proposal on the table as it is very > likely that the identifiers for that will be drawn from a special range > of address space. Not in my view. That isn't a required property of identifiers, although ULA addresses would make perfectly fine identifers. Brian -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
