[arin-ppml] ULA-C and reverse DNS

Michael Richardson mcr at sandelman.ca
Mon Mar 22 15:26:27 EDT 2010 

>>>>> "michael" == michael dillon <michael.dillon at bt.com> writes:
    >> Why not just take the address space and delegate /16s of it to
    >> each RIR in the same way we do now?

    michael> We don't want it to be aggregatable. However we could

It won't be aggregated by the RIRs.  So you can tell who you got the
block from by looking it... The RIRs can be trusted to hand out random
blocks, I think.  The RIR is only 3 bits anyway.

    michael> P.S. I'm not yet convinced that reverse DNS is needed. If a
    michael> mobile device, is using ULA-C addresses, then it must have
    michael> connectivity to a network using ULA-C addresses, therefore
    michael> it is inside that network and can use private reverse DNS
    michael> services. 

a) the mobile device might be using it's ULA-C as an identifier inside
   some mobility or multihoming mechanism.

b) while (a) above could just be MIPv6 or shim6 or IPsec or ....
   something we do not yet know about.  FREQUENTLY, bootstrapping this
   mechanism is MUCH simpler if it can USE DNS to discover things.
   Oops. catch-22.

c) If one demands that the mobile device do all DNS requests only via it's 
   "home base", then one has created a critical dependancy where none 
   existed before.  The "home base" must be reachable at all times, and
   one has assumed that only a star topology is desireable.

   MIPv6 provides extensive mechanisms to avoid having to create star
   topologies!!!    You've just made DNS significantly more brittle.

   Remember: *ALL* DNS requests have to go to the home base, not just
   reverse DNS requests.

   This has also been the assumption that all IPsec Remote Access VPN
   vendors have made for the past 15 years, and it totally fails once
   you have connections to *TWO* organizations.  If you are lucky, they
   use different RFC1918 adddresses... 

   Lest you think this is uncommon, let me tell you that's is basically
   a FAQ in the IPsec world.


d) If the DNS requests do not flow through a "tunnel", but rather travel
   to a DNS server that is in the organizations PI or PA address space,
   then the DNS is less brittle, but two things have just happened:
   1) if PA, then organization is now dependant upon PA address provider
      to be up.  DNS can cope with multiple PA addresses sure...
   2) if PI, then you didn't need ULA-C in the first place.


e) if you are asking why reverse DNS is needed *PERIOD* (for anyone),
   then that's a different conversation completely.

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition.

More information about the ARIN-PPML mailing list