IPV6 renumbering painless?

Daniel Roesen dr at cluenet.de
Sat Nov 13 01:56:32 UTC 2004


On Fri, Nov 12, 2004 at 05:06:17PM -0800, Owen DeLong wrote:
> >OK, but this doesn't have any effect on your "Listen",
> >"NameVirtualHost" and "<VirtualHost>" statements of your httpd.conf,
> >"ListenAddress" in sshd.conf, "Bind" in proftpd.conf, "*-source" and
> >"listen-on*" in named.conf, [...]
> >
> True.  However, in all of the cases above except named.conf,
> names are a perfectly valid substitute for the IP address.

No. Those configs are read at boot-time. Now think about a power
outage recovery. Server comes up but cannot reach DNS when services
are starting up. Boom, your server's services bail out and are dead
in the water. To prevent this, you might fill your /etc/hosts with
the own FQDN-to-IP mappings, but this again has the problem of being
pretty static.

> >Not to forget all the IP address based ACLs.
> >
> I suspect that eventually, we will discover that ADDRESS-based
> ACLs simply do not scale to a V6 world, and, you will see support
> for other strategies, such as host-name based ACLs.

Layer 3 doesn't know host names. Nor does layer 4. Applications do.
Security requirements do often mandate working access control even
when DNS doesn't work or is compromised.


Regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0



More information about the NANOG mailing list