[arin-ppml] ULA-C and reverse DNS
mcr at sandelman.ca
Mon Mar 22 15:26:27 EDT 2010
>>>>> "michael" == michael dillon <michael.dillon at bt.com> writes:
>> Why not just take the address space and delegate /16s of it to
>> each RIR in the same way we do now?
michael> We don't want it to be aggregatable. However we could
It won't be aggregated by the RIRs. So you can tell who you got the
block from by looking it... The RIRs can be trusted to hand out random
blocks, I think. The RIR is only 3 bits anyway.
michael> P.S. I'm not yet convinced that reverse DNS is needed. If a
michael> mobile device, is using ULA-C addresses, then it must have
michael> connectivity to a network using ULA-C addresses, therefore
michael> it is inside that network and can use private reverse DNS
a) the mobile device might be using it's ULA-C as an identifier inside
some mobility or multihoming mechanism.
b) while (a) above could just be MIPv6 or shim6 or IPsec or ....
something we do not yet know about. FREQUENTLY, bootstrapping this
mechanism is MUCH simpler if it can USE DNS to discover things.
c) If one demands that the mobile device do all DNS requests only via it's
"home base", then one has created a critical dependancy where none
existed before. The "home base" must be reachable at all times, and
one has assumed that only a star topology is desireable.
MIPv6 provides extensive mechanisms to avoid having to create star
topologies!!! You've just made DNS significantly more brittle.
Remember: *ALL* DNS requests have to go to the home base, not just
reverse DNS requests.
This has also been the assumption that all IPsec Remote Access VPN
vendors have made for the past 15 years, and it totally fails once
you have connections to *TWO* organizations. If you are lucky, they
use different RFC1918 adddresses...
Lest you think this is uncommon, let me tell you that's is basically
a FAQ in the IPsec world.
d) If the DNS requests do not flow through a "tunnel", but rather travel
to a DNS server that is in the organizations PI or PA address space,
then the DNS is less brittle, but two things have just happened:
1) if PA, then organization is now dependant upon PA address provider
to be up. DNS can cope with multiple PA addresses sure...
2) if PI, then you didn't need ULA-C in the first place.
e) if you are asking why reverse DNS is needed *PERIOD* (for anyone),
then that's a different conversation completely.
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
More information about the ARIN-PPML