bill fumerola wrote: > [ limiting my comments to the discussion surrounding section 4.1 ]
You mean avoiding the questions that people ask to your 'arguments'? :) My main question about ULA-C still stands: how is it different from PI? What is the advantage that it gives to The Internet, especially in the light that it will cause that everybody on the Internet will have to make special provisions to block this out, provide registry services etc. Which are all already in place for the PI blocks which do exactly the same thing. > IFF ULA-C space is to exist and be registered/delegated, delegate the > reverse blocks for that space as well. we so often beat the "addressing > isn't routing" drum weekly. well, DNS isn't routing. Without routing there is no DNS. And you are claiming to want to disconnect the address space from the Internet. As such there is no DNS that you can access in the first place. Or are you setting up a local variant? If so why do you need the global one? > DNS+ULA-C is not an end-run around PIv6. Then what exactly is the purpose? Saying what it is not, doesn't make it something. > DNS is an integral part of addressing and if > we're going to move forward with ULA-C as delegated addressing then let > us move forward with addressing in its entirety. So you want a disconnected address space which gets connected to the Internet? Sorry, but that more or less really implies NAT. As you know DNS works in two ways: forward and reverse. You will require forward DNS servers somewhere that have your zones with local addresses anyway, why not add the reverse ones too? Are you publishing your forward DNS servers also on the global Internet? I mean, when you interconnect with another company, you surely want them to actually get the ULA-C addresses and not the ones that everybody on the Internet uses, would you not? I am fairly sure that security people are really happy to hear that they 'for simplicity' have their local DNS servers and the addresses published on the Internet and accessible from that same Internet, so that people can nicely traverse the tree and figure out which hosts are where and find out a lot of information that they are not supposed to be able to get as they are supposed to be for a local network. > if organizations use a ULA-C block in their network, they shouldn't have > to special case their DNS infrastructure such that every recursive server > in their network has to slave from / forward to some special location > to get accurate answers like they do now for RFC1918 and ULA-L. So your previous argument that "they are doing this for decades" was false and, as I mentioned, they have actually been doing it for a long time already using local resolvers and split-dns which works fine. It is indeed not nice, but that is more over inherent to the simple fact that they chose not to use The Internet in the first place. The mere fact that you are stating that these companies will otherwise require split DNS, simply implies that they are going to connect to the Internet, then _why_ would you want to have those companies get an address space that can never ever ever use that Internet. Maybe today they don't want to use it on that Internet, but maybe next year they do. It is really handy to be able to use SIP globally for instance. Unless what is going to happen what will most likely going to happen: it will become active on the Internet!? If you don't want hosts to talk to "The Big Bad Internet": Firewall it and as an added bonus to keep it out completely: Don't route it. Having a DNS server sitting in both networks is not going to help there, ever tried debugging such a setup? It is indeed a lot of fun and consultants are very happy to be able to bill you for it. > if different organizations end up routing ULA-C blocks between autonomous > networks they will already have the benefit of accurate PTR answers > without lifting a finger. They actually DO have to lift a finger: they have to configure Internet connectivity on machines that are "officially" completely separated from the Internet. Lets take the example of The Pentagon* they would really enjoy a "Unique *LOCAL* Address" Space, because then they can be completely independent of the Internet. Now you are arguing that it would be a good thing that they actually connect to that Internet to be able to get DNS!? *=http://it.slashdot.org/article.pl?sid=07/06/22/021239 See the article, it is funny, though not so funny how they got in. > resolution of a PTR record doesn't inch ULA-C > addresses any further towards being PI space, just towards adding value. Which Value? I can also state that Coke is better than Pepsi, but why? Also on the point where people say "but I can firewall fc00::/7 easily and I know that only partner networks are there, while the rest is the big evil internet", ever thought about the fact that everyone can generate/pick a ULA address and simply use it? Which is the same as routing global unicast addresses from a different company. You really need to trust per prefix, not per fc00::/7 which is an awfully big block. The security breach might not happen at your place, it just might happen at a partner... I am not even going into the simple fact that addresses never should be trusted as they can still be spoofed way too easily. As such building your 'firewall' on those assumptions is thus silly at best. Greets, Jeroen
signature.asc
Description: OpenPGP digital signature
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
