Earlier, Brian Carpenter wrote: > I'm flattered to be cited, but I hope this doesn't convey the > impression that the draft (now in the RFC queue) offers a > solution. It's more of the nature of a problem statement and > gap analysis. I think it would be helpful to state that, to > avoid any false expectations.
(I'm one of the co-authors of this RFC-to-be.) Brian is quite correct if he means that the document is neither a panacea nor a full solution for all situations. That noted, there are some places where the current document describes practical methods that can be used today to ease site renumbering, along with some advice on avoiding known pitfalls. Purely by way of example, IPsec VPNs can be configured to use FQDNs with IKE, rather than using raw IP addresses. I believe this has for many years been an IETF standards-track capability. The DNS KX record (widely available in BIND for years now) can be used to locate the VPN gateway for a target domain. Further, deployed support for Secure Dynamic DNS Update is more widespread than commonly understood.[1] So at least some of the documented methods to ease renumbering have worked well for years, within at least some operational environments, but appear not to be widely known today in the operational world.[2] Last, the document does offer some advice on how to move towards a world where site renumbering would be easier. This last might be the bit most relevant to future standards work, as it might help avoid standardising approaches that are known to impede site renumbering. So I agree with the co-chairs that the document is relevant to the recommendation, and I agree with Brian that it is important to be clear in how/why that document is relevant. Yours, Ran [1] Cricket Liu's DNS & BIND book, 5th Edition, reports that in some common configurations, Microsoft Windows Server silently enables dynamic DNS updates and uses them in conjunction with the DHCP server feature. According to that credible report, this works fine. There are more recent reports of interoperability among the dynamic DNS implementations that support TSIG-GSS. [2] I have a decade of personal operational experience with ISP-driven (i.e. not planned by the end site and without warning) renumbering of end-sites where the VPNs automatically re-established themselves within a few RTTs of the renumbering of the VPN gateway device's public IP address. This relied upon the IKE config using the FQDN rather than the raw IP address. _______________________________________________ rrg mailing list [email protected] http://www.irtf.org/mailman/listinfo/rrg
