On Oct 22, 2009, at 3:03 PM, Vasil Kolev wrote:
В 11:10 -0700 на 22.10.2009 (чт), Owen DeLong написа:
OK... Here's the real requirement:
Systems administrators who do not control routers need the ability in
a dynamic host configuration mechanism to
assign a number of parameters to the hosts they administer through
that dynamic configuration mechanism. These
parameters include, but, are not limited to:
1. Default Router
2. DNS Resolver information
3. Host can provide name to server so server can supply dynamic DNS
update
4. IP Address(es) (v4, v6, possibly multiple v6 in the case of
things
like Shim6, etc.)
5. NTP servers
6. Boot server
7. Site specific attribute/value pairs (ala DHCPv4 Options)
These assignments MUST be controlled by a server and not by the
router
because the router is outside of the
administrative control of the Systems Administrator responsible for
the hosts being configured.
And to add a real-world case for this - two months ago at HAR (hacking
at random, a convention in the Netherlands) I was in the network team,
handling fun stuff like DHCP servers, DNS, etc.. We also provided IPv6
connectivity there (we had a /16 IPv4 zone and a /48 IPv6 zone), and
at
some point we asked the question around - ok, how should we provide
DNS
and other useful information for the V6 only people?
After a while with all the brains around, the decision was to write it
on the datenklos through the field, where people can read it and
configure it in their browsers. This would've been funny if it
wasn't so
sad.
OTOH, for V4 everything with the DHCP worked fine (as it has always
done, even at an event of this size), as is my experience with all the
networks I've administered. Saying that DHCP doesn't work for me is
extremely weird, as to me this means someone made specific effort to
fuck it up.
Finally - we have something that works, that's called DHCP. It might
not
be perfect, it might have some weird issues and implementations, but
it's actually making our lives easier, is tested and works. I'd love
anything that would be better, but as an option, not as the only
choice
I have.
And it's not just the protocol that I care about. I care about that
it's
implemented in a HOST, where I can play with the software as much as
possible, instead on a ROUTER, which is a vastly different device with
rarely-updated OS, and even in the case where they're both the same
machine(as in small office environments), they're again handled at
different layers (kernel vs userspace).
There are reasons that we're using what we're using, and not all of
them
are "because we're masochistic idiots".
--
Regards,
Vasil Kolev
Following on the comments above:
The security domain for HOST should not overlap the security domain
for ROUTER.
That is the primary driver of the separate administration of HOST and
ROUTER. Heaven help us if the latest M$ virus, or even social-
engineering distributed malware began to affect BGP!
Give the router managers the NTP server addresses and their DHCP
forwarding list and leave them alone to produce a robust and reliable
transport facility!
James R. Cutler
james.cut...@consultant.com