ISP customer assignments
Mark Andrews
marka at isc.org
Thu Oct 22 02:38:39 UTC 2009
In message <op.u156b0mztfhldh at rbeam.xactional.com>, "Ricky Beam" writes:
> On Tue, 20 Oct 2009 19:38:58 -0400, Bill Stewart <nonobvious at gmail.com>
> wrote:
> > ... If you've got a VPN tunnel device, too often the remote
> > end will want to contact you at some numerical IPv4 address and isn't
> > smart enough to query DNS to get it.
>
> As I was told by Cisco, that's a security "feature". Fixed VPN endpoints
> are supposed to be *fixed* endpoints. Yes, it is a pain when an address
> changes, for whatever reason. But relying on DNS to eventually get the
> endpoint(s) right is an even bigger mess... how often is the name<->IP
> updated?
It should be automatically updated by the end point. We do have
the technology to do that.
> how often do the various DNS servers revalidate those records?
If you are talking about caching servers then they will honour the
TTL in the records.
> how often do the VPN devices revalidate the names?
At startup. A well designed VPN protocol will support end point
address mobility.
> what happens when the dns changes while the vpn is still up?
This should be transparent to everything other than the vpn end
points.
> I'll stick with entering IP addresses.
>
> --Ricky
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list