[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] SLAAC and DDNS

To: "David W. Hankins" <David_Hankins at isc.org>, "DHC WG" <dhcwg at ietf.org>
Subject: Re: [dhcwg] SLAAC and DDNS
From: "Bernie Volz (volz)" <volz at cisco.com>
Date: Fri, 27 Feb 2009 13:37:56 -0500
Authentication-results: rtp-dkim-1; header.From=volz at cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
Delivered-to: dhcwg at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=3093; t=1235759877; x=1236623877; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=volz at cisco.com; z=From:=20=22Bernie=20Volz=20(volz)=22=20<volz at cisco.com> |Subject:=20RE=3A=20[dhcwg]=20SLAAC=20and=20DDNS |Sender:=20 |To:=20=22David=20W.=20Hankins=22=20<David_Hankins at isc.org> ,=20=22DHC=20WG=22=20<dhcwg at ietf.org>; bh=j/gutXTZDk7XOySXpsy4k2gQkVYrfDCOb8ET0G6tAMs=; b=b+9TZu3EPQDiRn7Y4RlU+LUVry2v6V1fuk5duuy0LrN2pqcS8DxHSMK9b6 /FSfrkvzwR8MqqsDd2qZGAZkOcFbc3cR7LoJxHIJP+UW6zpXY2xAP0SGml3m h+HnFbTRO5;
In-reply-to: <20090227174153.GA3954 at isc.org>
List-archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: <dhcwg.ietf.org>
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
References: <1E4636828B4AD841900A31378A9FE3CD01132116C7 at usemp11.ins.com> <20090227174153.GA3954 at isc.org>
Thread-index: AcmZArTxQQm6QuyPR0aclMxFtX9IMQAB03Lw
Thread-topic: [dhcwg] SLAAC and DDNS

Why not have the client do DHCPv6 but have the DHCPv6 server assign the
client the SLAAC address (for what it is worth, CNR's DHCPv6 server
supports this capability). No protocol or client changes (provided the
client already supports DHCPv6 based address assignment - if it doesn't
having it do the Information-Request requires new code anyway). No new
draft to write.

- Bernie 

-----Original Message-----
From: dhcwg-bounces at ietf.org [mailto:dhcwg-bounces at ietf.org] On Behalf
Of David W. Hankins
Sent: Friday, February 27, 2009 12:42 PM
To: DHC WG
Subject: Re: [dhcwg] SLAAC and DDNS

On Fri, Feb 27, 2009 at 10:01:34AM -0600, Greg.Rabil at ins.com wrote:
> I think the only drawback to this solution is that doing DDNS updates
from the client makes it difficult to secure the updates using TSIG, for
example.  Distributing the TSIG key(s) to the clients is really not an
option in most cases.  However, there is tremendous benefit to
supporting DDNS in a SLAAC (stateless address auto-config) environment.
One option would be to require client to put their FQDN option in the
Info-Request message sent to a stateless DHCPv6 server.  The source
address of the Info-Request message is the client's SLAAC address, so
the stateless DHCPv6 server would know the IP, and if the FQDN option
were included, it would have enough information to update both the AAAA
and PTR records.  The problem here is that a stateless DHCPv6 server
will not know when the records should be removed from DNS, but stale
records could be cleaned via some other "scavenging" mechanism.

The IPv6 source address of an Info-Request message is more likely a
link-local address, and using this field presumes the client has only
one address.  So you would have to specify that the client MUST select
a source address specifically not in keeping with the usual guidelines
for source address selection.  This isn't impossible, a client can
bind the socket.

You'd also have to specify the client MUST include a client identifier
option so that the server can manufacture a DHCID.  RFC 3315 states
this is a SHOULD for information-request, only a MUST if
authentication is in use.

But, this method raises a security concern.

The client does not have a TSIG key, but by using only the source
IPv6 address field and an FQDN option, it can ask a DHCPv6 server to
perform an update on its behalf.  This mechanism simply extends DHCP
to tunnel through DNS security, to bypass it.  Anyone can send that
packet, and they can ask the DHCP server to update the zone with
whatever contents they might have updated themselves - just limited
to AAAA and DHCID RRs.  This is not very different form simply leaving
the DNS zone wide open, or erecting access control on the DNS zone to
limit RR types.  There is for example a BIND 9 ACL command that
permits systems to update their own PTR records.

-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins

Follow-Ups:
- Re: [dhcwg] SLAAC and DDNS
  - From: Greg.Rabil

References:
- [dhcwg] SLAAC and DDNS
  - From: Greg.Rabil
- Re: [dhcwg] SLAAC and DDNS
  - From: David W. Hankins

Prev by Date: Re: [dhcwg] SLAAC and DDNS
Next by Date: Re: [dhcwg] I-D Action:draft-ietf-dhc-dhcpinform-clarify-02.txt
Previous by thread: Re: [dhcwg] SLAAC and DDNS
Next by thread: Re: [dhcwg] SLAAC and DDNS
Index(es):
- Date
- Thread