IPv6 Pain Experiment

• Previous message (by thread): IPv6 Pain Experiment
• Next message (by thread): IPv6 Pain Experiment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On 3 Oct 2019, at 10:49 am, Doug Barton <dougb at dougbarton.us> wrote:
> 
> On 10/2/19 3:03 PM, Naslund, Steve wrote:
>> The next largest hurdle is trying to explain to your server guys that you are going to go with all dynamically assigned addressing now
> 
> Completely false, but a very common misconception. There is nothing about IPv6 that prevents you from assigning static addresses.

There is also nothing stopping machines updating their addresses in the DNS dynamically securely.  Active Directory has been doing this for years with GSS-TSIG.  One can also use TSIG or SIG(0) to achieve the same thing.

Create a public key pair and store it in the DNS using a KEY record at the entity's name. Use SIG(0) signed update requests to update the records of the machine in the DNS as needed.  This works for all record types that need to be updated be it address records or other records.  This is conceptually no different to a administrator adding a machine to a Active Directory domain.  See RFC 2136 (UPDATE), RFC 2931 (SIG(0)).

There are also drafts describing how to add machines on a first use basis that don’t require a administrator to add the KEY record and when combined with TIMEOUT records (draft stage) get garbage collected.  This is most useful for home networks.

You can also add PTR records in reverse trees just by performing the update from the matching IP address over TCP.

Have a look at the dynamic update policies supported by the DNS server.

>> and explaining to your system admin that can’t get a net mask in v4 figured out, how to configure their systems for IPv6.
> 
> If they only need an outbound connection, they probably don't need any configuration. The instructions for assigning a static address for inbound connections vary by OS, but I've seen a lot of them, and none of them are more than 10 lines long.
> 
> Regarding the previous comments about all the drama of adding DNS records, etc.; that is what IPAM systems are for. If you're small enough that you don't need an IPAM for IPv4, you almost certainly don't for IPv6.
> 
> IPv6 is different, but it's not any more difficult to learn than IPv4. (You weren't born understanding IPv4 either.)
> 
> Doug

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

• Previous message (by thread): IPv6 Pain Experiment
• Next message (by thread): IPv6 Pain Experiment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]