[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-nward-v6ops-teredo-server-selection-00.txt
On 5/07/2007, at 4:29 AM, Rémi Denis-Courmont wrote:
Le mercredi 4 juillet 2007, vous avez écrit :
Anycast is good, but I think it's important that the clients are
default configured with a vendor agnostic DNS name that points to the
anycast address as well.
I have not seen any precedent of vendor-agnostic DNS name (apart from
example.TLD that is). Not only that, but who would maintain the DNS
zone that clients would run into when the ISP does not "hijack" the
name?
I've not seen precedent of vendor-default DNS names for network
functions, either (or at least, that I can recall on short
notice :-). I'm not sure that lack of precedent is a good reason to
not do something.
That's a good question as to who would host and maintain the zone. In
the document I say: "The root servers (or some other independent
party) would host the DNS name". I'm not sure who that third party
could be, but the root servers (or perhaps a subset of the root
servers) seem well placed in terms of reliability, and trust-ability.
There are probably millions of Windows boxes using
teredo.ipv6.microsoft.com already. It is technically possible to
change
this zone to point to an anycast prefix (should Microsoft be
willing to
use it...), as has seemingly been done with 6to4.ipv6.microsoft.com.
My recommendation would be for MS to change the default to a new
name, and also change the A record of the existing default to point
to the anycast address.
That means that the control is entirely with
the SP, and there is no reliance on third party DNS names etc.
With anycast, the access provider has control, always. With DNS, it
assumes that the user is using the ISP recursive DNS servers (most
common, but not systematic).
With /only/ DNS, yes.
My recommendation (which isn't clear from ready the document, sorry
about that!) is to use both DNS and anycast, and by default the DNS
entry points to the anycast address. ISPs should use anycast where
possible, but use DNS if it's not available.
Also, if providers don't have the ability to anycast,
If they have no control over routing, I doubt they would or even
should
have control over DNS still.
Perhaps, however there are 'virtual' ISPs who run DNS, SMTP, etc.
services for their customers, but who do not route their IP traffic
to other parts of the Internet.
However, my comment was more in regards to it being unsuitable for
their network for some reason (perhaps in an enterprise network, for
example), or because they want to be able to load balance things
differently to how they could with anycast.
By the way, you may as well drop the SRV records idea. Some people
would
complain that it allows Teredo to run not-on-port 3544, and becomes a
mess to block at the firewall. Not *me* though.
If end users can connect out through your firewall on any address,
being able to block a Teredo port doesn't gain you any security. If
you want to prevent users from automatically establishing tunnelling
without them realising, either a) disable Teredo on all machines, or
b) put in a DNS entry pointing to an invalid server, or c) null route
the anycast address. I'm sure you're aware of this, but I'll describe
why it's not a problem when I document the SRV as a sub-option of the
well known DNS name bit so that others get it too :-).
The only reason I can see not to do well known DNS in parallel to
IPv4 anycast is the issue of who would host the name, and I suspect
we could resolve that fairly easily. It seems to me that the
flexibility and security that is gained is worth it.
Perhaps an alternative to having a fallback in DNS is to have the
anycast address configured as the Teredo server address to use when
the DNS name is un-resolvable - that would require some extra logic
in the clients though, but it would be pretty trivial I'd imagine:
address = dns_lookup(well.known.dns.name)
if (address = failed) then address = a.b.c.d
--
Nathan Ward