Hi Michale: If my interpretation is correct, the mapping between IP address and Name is only valid for specific session or connection, when the session or connection is torn down, The mapping is no longer valid even though you cached the them, especially, TTL exceeds the preconfigured period of time. I am wondering whether session expiration time is also cached together with the mapping as the state?
-Qin -----邮件原件----- 发件人: OPSAWG [mailto:opsawg-boun...@ietf.org] 代表 Michael Richardson 发送时间: 2023年10月26日 6:14 收件人: Eliot Lear <l...@lear.ch> 抄送: Rob Wilton (rwilton) <rwilton=40cisco....@dmarc.ietf.org>; opsawg@ietf.org; draft-ietf-opsawg-mud-iot-dns-considerati...@ietf.org 主题: Re: [OPSAWG] AD review of draft-ietf-opsawg-mud-iot-dns-considerations-08 Eliot Lear <l...@lear.ch> wrote: > On 23.10.2023 17:27, Michael Richardson wrote: >> Maybe someone else can explain it back to me in a better way. > The fundamental issue is this: > * If you are permitting an IP address in an ACL based on a name in a > MUD file, the mapping to that address is valid for the greater of the > TTL on the name or the state of a connection, assuming you have that > state. If the state isn't there and endpoints inappropriately cache > the name beyond TTL, That Would Be Bad. The section involved is about why you can't go from IP address to name. Assuming that you could make it work once, the point of the section is that you have to keep doing it every TTL period. It's not the TTL on the name, but the TTL on the PTR record... I'm just going to truncate like this (section "Too slow"): While subsequent connections to the same site (and subsequent packets in the same flow) will not be affected if the results are cached, the effects will be felt. The ACL results can be cached for a period of time given by the TTL of the DNS results. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- *I*LIKE*TRAINS* _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
