6to4 reverse domain delegation 2.0.0.2.ip6.arpa A Proposal Geoff Huston – May 2004.

Slides:

Advertisements

Similar presentations

1 IPv6 Unique Local Addresses Update on IETF Activity ARIN Public Policy Meeting April 2005 Geoff Huston APNIC.

Advertisements

6to4 reverse domain delegation in ip6.arpa A report on work-in-progress Geoff Huston – May 2004.

IDN TLD Variants Implementation Guideline draft-yao-dnsop-idntld-implementation-01.txt Yao Jiankang.

Enabling Secure Internet Access with ISA Server

Direct Access 2012 Chad Duffey and Tristan Kington Microsoft Premier Field Engineering WSV333.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.

5-Network Defenses Dr. John P. Abraham Professor UTPA.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Domain Name System: DNS

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Application Layer Functionality and Protocols Network Fundamentals – Chapter 3.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

NAME SERVICES. Names and addresses File names /etc/passwd URLS Internet domain names—dcs.qmw.ac.uk Identifiers- ROR, NFS.

Name Resolution Domain Name System.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

Chapter 17 Domain Name System

DNS & SPAM SHAREPOINT 2010 IT:NETWORK:APPLICATIONS.

Zone Properties. Zone Properties Continued Aging allows zone to remove “stale” or “old” records for clients who have not updated within a certain period.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Name Resolution.

Utilities, Customers & SMS Rudi Leitner. Who in this room has a mobile phone? Who in this room has ever sent a text (SMS) message?

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

Deploying a Web Application Presented By: Muhammad Naveed Date:

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

Module 7 Configure User and Computer Environments By Using Group Policy.

Status report on Lame Delegations (work in progress) George Michaelson DB SIG APNIC17/APRICOT 2004 Feb KL, Malaysia.

1 Kyung Hee University Chapter 18 Domain Name System.

Data Communications and Networks Chapter 5 – Network Services DNS, DHCP, FTP and SMTP ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.

Configuring Name Resolution and Additional Services Lesson 12.

Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.

Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.

Chapter 5. An IP address is simply a series of binary bits (ones and zeros). How many binary bits are used? 32.

DNS Domain Name System. Lots of people use the internet for different reasons. DNS Plays a big role in the internet. The DNS translates domain names into.

Chapter 5c.  Upon completion of this chapter, you should be able to:  Configure IP addresses  Identify & select valid IP addresses for networks  Configure.

Ip addressing: dhcp & dns

Security Issues with Domain Name Systems

Chapter 25 Domain Name System.

Module 5: Resolving Host Names by Using Domain Name System (DNS)

Domain Name System (DNS)

IMPLEMENTING NAME RESOLUTION USING DNS

Goals of soBGP Verify the origin of advertisements

Lame DNS Server Sweeping

Net 323 D: Networks Protocols

Chapter 19 Domain Name System (DNS)

RIPE Whois Database Software Recent Changes

AbbottLink™ - IP Address Overview

Presentation transcript:

6to4 reverse domain delegation ip6.arpa A Proposal Geoff Huston – May 2004

The Problem How to populate delegations of the the reverse address space of the 6to4 address prefix in a manner that is: Easy to deploy Minimal impact on existing software and operations Allows for efficient name lookup Cost and benefit bourne by those who immediately benefit Does not adversely affect the security of DNS queries [problem statement: draft-moore-6to4-dns-03.txt]

Work to date Internet draft draft-moore-6to4-dns-03.txt Explores various approaches to infer delegation paths when there is no explicit delegation. Possible approaches include: Use matching in-addr.arpa servers Use known 6to4 address as potential server Alter server behaviour All these approaches represent compromises in various ways

Issues with various approaches Support "conventional address delegations, recognising the need to 'hop over' some address delegations This is performing reverse delegations without reliable information as to whether the requestor really has the address space or not. Equally a delegated entity may need to implement the same 'hop over' approach to further delegations from their reverse zone.

Approaches (2) Support a "guessing" server where if there is no explicit delegation you look for the NS records of the equivalent 32 bit V4 reverse address zone and ask these servers the V6 PTR query Requires altered resolvers and wont not map correctly to the /32 6to4 site in any case

Approaches (3) Support non-delegated local 6to4 NS addresses that will be queried if there is no explicit delegation i.e. infer a set of 6to4 AAAA addresses and send the PTR query to them Requires altered resolvers, and reserving local address with special significance is not a preferred approach

Approaches (4) If there is no explicit delegation then fake the answer - i.e. return a string that is synthesised from the V6 address as the PTR answer. Um – if you are going to lie, then why bother with reverse at all?

About synthesized responses Not a good idea... It appears that the safest approach is to work through the standard delegation model, but it would be good to reduce the administrative overhead of maintaining this zone

Recap: 6to4 land (as I guess it) 6to4 gateway h1h2h3h4 g1 V4 addresses g h h h h V6 6to4 addresses g12002:{ }::1A h12002:{ }::1B H22002:{ }::1C H32002:{ }::1D H42002:{ }::1E 2002V4GatewayAddrLocal Address 6 over 4 V6 Local V6 & V4 network V4 connectivity

6to4land with V4NAT(P)T (still guessing) V4NATPT 6to4 gateway h1h2h3h4 g1 V4 addresses G g h h h h V6 6to4 addresses G12002:{ }::0A g12002:{ }::1A h12002:{ }::1B h22002:{ }::1C h32002:{ }::1D h42002:{ }::1E 2002V4GatewayAddrLocal Address 6 over 4 V6 Local V6 & private V4 network V4 connectivity G1

A Proposal for 6to4 reverse DNS Delegate only at the 48 bit position – i.e. delegate only at each gateway (the equivalent of a /32 in V4) Automate the delegation process as a client- driven system Allow the system to be accessed only by 6to4 clients and allow the client to delegate only the 6to4 reverse address of the clients source address.

Details (1) ip6.arpa only contains delegations for /32 V4 blocks It doesnt matter if its a flat zone file or a set of zone files - the basic approach is that each 6to4 network (a /32 in V4) has its reverse delegation handled directly by the delegation engine. Delegations are performed by a web service Where the service itself is only accessible using V6 6to4 source addresses

The Web Service… Operates only as a secure (https) server that way it prevents any form of proxy caching mucking around with the service Only provides a web page to enter a delegation if the source address of the client is a 6to4 V6 network address All other connection attempts get a response which is a FAQ about the service. The web page allows the client to enter: up to 4(?) NS servers for the reverse delegation of the 6to4 gateway address which is the source address of the client, and an contact address of the client.

The Web Service… (2) upon submit the web server checks the validity of the servers (reachable, authoritative, synchronized with secondaries) and either responds with a diagnostic and pointers to DNS configuration resources on the web or accepts the delegation request and queues it up for entry in to the ip6.arpa zone file The WEB server should also have a direct CGI interface to the update allowing the client to use a local tool and scripts the update

Zone Maintenance… All entries are timestamped, and the delegation is checked every 30(?) days. If the delegation is lame a diagnostic message is sent to the associated address, giving the recipient 7 days to correct the error. After a further 7 days the delegation is rechecked, and if it is still lame, the delegation is removed If there is an existing delegation for this 6to4 zone the details of the delegation are provided to the client, and they can edit all the fields. Any changes are ed to the original address and to the updated address (if updated). BUT the changes are made in any case.

Benefits Fully automated No 'hop over' delegation issues Rapid service delivery You can only change your own record (i.e. your source address's embedded V4 address 6to4 record)

Issues Clients inside a 6to4 network could update the servers without the knowledge of the local network administrator Possible responses: the local network administrator could use a firewall filter to block all local clients to and from access this web service. proxies won't help here as its a https connection and is based on the source address of the client DHCP-based 6to4 clients could inherit nonsense reverse entries Possible response: putting reverse servers on a DHCP-provided address doesn't make much sense. But in any case the DHCP pool owner could populate the space and then bar clients from accessing the web service (see above)

Issues (2) Hijack the v4 address, set up the 6to4 connection and steal a reverse Possible response: Hijacking an address allows all kinds of bad things - this reverse part is minor! Folk who want to support lots and lots of 6to4 gateways have to do much work Possible response: 6to4 is a local interim hack. If you are big enough that this is a pain then get a real V6 connection, a real V6 address and do it properly!

Discussion Is this a reasonable approach? How many delegations are needed? Is integrity of delegation of reverse space in 2002 important or not? Should block delegations also be supported? Why?