IPv6 Confusion

Leen Besselink leen at consolejunkie.net
Wed Feb 18 02:19:10 UTC 2009

Mark Andrews wrote:

>> >> (or just pre-populate the DNS with DHCP-2001-9A98-D247-{5more}.ISP.com and be
>> >> done with it like many places do for IPv4)
> >
> > 	Which still leaves the problem of how does the machine get its
> > 	name in a trusted manner.
> >

I don't know about that, but I do have an idea about how you could atleast have
a start to verify the things you receive. Tell me if I'm stupid and need more
sleep. And yes I didn't check, but I don't think anyone created a protocol for
this yet. It's just some things that came to mind.

Let's see...

For a start, you might want to be able to validate through DNSSEC the PTR-records
of the global-addresses you receive 'from the network'.

Let's say you have a few /64 (global, fe80:: and possible also ULA) on the network,
you autoconfigure an address with SLAAC, you get information about a gateway
and a recursive nameserver (yes maybe from DHCPv6, doesn't really matter for
this discussion).

The host with the newly aquired address(es) has a forwarding DNSSEC-validating
recursor on localhost with the public key for the root.

Which asks the recursive nameserver on the network for all the DNSSEC-records
it needs from the root down to verify any PTR-record about the global-addresses
it received like gateway or that recursive nameserver. This means you can use the
recursive nameserver on the network, without trusting it (at first ?), you are
just using it as a cache.

After that you can check the AAAA-record for the name you got from the PTR to
see if they all match up (like HELO/MX/PTR-records for mailservers).

If everything checks out ok, then you know everything is controlled by the same
organisaion(s) and that they are legit.

If you have that information you could use it to get other key-material from DNS,
maybe even opportunistic IPSec-keys, so you can start encrypting all communications.

I do know I don't like the complexity of DNSSEC, but if we do get it to work,
maybe something like this could actually work (atleast in theory).

I'm going to have a good night's sleep now, although I'll probably kick myself in
the morning for mentioning something stupid.

I keep wondering which we'll implement first, DNSSEC or IPv6. My guess is on IPv6,
because of the implementation complexity of DNSSEC.

PS I'm not a native english speaker

More information about the NANOG mailing list