Re: [RAM] DNS usage in NERD

[Robin Whittle <rw at firstpr.com.au>]

Brian Carpenter wrote:

> I'm sticking to my own suggestion: use well-known IP addresses
> to bootstrap NERD, thereby avoiding any possible circular dependency
> involving DNS by construction.

Assuming there will be a single LISP/Ivip, the new system will be a
centrally planned, permanent, piece of infrastructure.  I think it would
be feasible and desirable in terms of simplicity to reserve particular
IP addresses for particular functions which are in any way crucial to
LISP/Ivip.  This shouldn't mean a single point of failure, if UDP
communications to a set of anycast servers can perform the functions
required.  For TCP the separate servers idea wouldn't be so robust, so
it should be possible to use set of anycast routers with private network
tunnels to a central or distributed server farm.

Like the root nameservers, the router and servers at these addresses
would need to be able to withstand any botnet attack which is likely to
be launched.  That threat will grow with as more PCs have faster
upstream links, such as with fibre to the premises, as Verizon is now
having great success with.

> I certainly agree that enumerating the addresses that must never
> be mapped, to avoid circularity, is a good thing.

I agree.  It might be best to have a config file in every ITR for ranges
of addresses to which packets will never be tunneled.  This would remove
the danger of malicious or accidental database changes being received
which would, without the config file limits, would cause packets to be
tunneled to infrastructure-critical addresses.

  - Robin


_______________________________________________
RAM mailing list
RAM at iab.org
https://www1.ietf.org/mailman/listinfo/ram