Dual-faced DNS issue on draft-palet-v6ops-solution-tun-auto-disc-01.txt

[JORDI PALET MARTINEZ <jordi.palet@consulintel.es>]

Hi all,

Next issue with this document.

Please, read the document and provide inputs, specially on this point.

>>> Our intend here is to offer two options:
>>> 1) No service at all outside the ISP (then filtering will make it)
>>> 2) An ISP that offers services (some, may be not the same) to users outside
>>> its own network. I think this is a possibility and we must support it in a
>>> clear way, in case somebody want to make use of it.
>> 
>> I can understand these options, but AFAIK dual-faced DNS does not
>> offer any better means to achieve 2), while being a lot worse.  Sure,
>> you can hide the tunnel endpoint (so that it can only be looked up in
>> the local net) and still keep it operational if you move away from the
>> network, but that allows a lot of abuse (such as local customers
>> telling their friends outside the IP address to use for their
>> tunnels).  Doing dual-faced DNS here would be security by obscurity
>> and that would not be good.
>> 
>> The only practical solution to the 3rd party case appears to be some
>> form of registered mode, i.e., the tunnel endpoint being accessible to
>> anyone, but only allowing certain registered users.
> 
> I'm not really sure about this point of view. Need to think about it. More
> opinions from the WG, please ?
> 

Regards,
Jordi




**********************************
Madrid 2003 Global IPv6 Summit
Presentations and videos on line at:
http://www.ipv6-es.com

This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.