Re: [TLS] Server Name Indication (SNI) in an IPv6 world?

To: =JeffH <Jeff.Hodges at KingsMountain.com>
Subject: Re: [TLS] Server Name Indication (SNI) in an IPv6 world?
From: Dean Anderson <dean at av8.com>
Date: Mon, 1 Nov 2010 00:44:57 -0400 (EDT)
Cc: IETF TLS WG <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <4CC765D6.6020704 at KingsMountain.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>

Hi Jeff,

Until IPV6 is a viable platform independent of IPV4, it's probably
premature to consider how one might use it with TLS because it's not
stable in its present form.  At present and for the forseeble future,
IPV6 doesn't work independently from IPV4, and as-is, isn't a viable
platform.  Some people might think that is a controversial statement,
but those people been denying the obvious since at least the failure of
the great deployment effort of 2003. And probably even before that since
the 2003 effort was forseeably unrealistic in the 2002 planning stages.  
Present plans are to repeat what didn't work in 2003, with no
substantial change.

I think the easiest way to understand the basis for saying IPV6 is dead
is this:  Anyone who publishes an AAAA record is immediately penalized
by the blackholing of traffic as IPV6 connections are attempted over
IPV4 interfaces. The root cause of this is that DNS doesn't have the
necessary separate stacks;  consequently, there is no such thing as an
IPV6 DNS stack. So there is just one DNS stack, and as soon as anyone
tries to use IPV6, they have to use an AAAA record in the IPV4 DNS, and
as soon as they do that, they get blackholed. Foot, gun, bang. Rollback
on IPV6. End of story. That's why now when you google IPV6, you bring up
more and more pages on how to disable it. And so, it's dead.

DNS bungling is not the only reason it's dead, of course. Just like
there's no single cause for the roman empire collapse. But in the same
way that many people think it was the barbarians who caused the roman
collapse, I think it was DNS bungling that caused IPV6 to fail. But
there are actually a whole lot of reasons. But this isn't the place to
post-mortem IPV6.

		--Dean

On Tue, 26 Oct 2010, =JeffH wrote:

> What do folks think, will the TLS SNI extension still be employed as much in 
> the IPv6 world as it is in the IPv4 world?
> 
> The question stems from the simple observation (on some folks' part) of the 
> IPv6 world ostensibly having multitudinous addresses available, hence instead 
> of virtual-hosting via one IPv4-addressed entity (and employing SNI in order to 
> properly have a cert per virtual host, rather than one cert with a mutitude of 
> subjectAltName:dNSNames), one can instead just multi-home such hosting entities 
> with an IPv6 addr per virtual host.
> 
> thoughts?
> 
> =JeffH
> _______________________________________________
> TLS mailing list
> TLS at ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 256 5494

References:
- [TLS] Server Name Indication (SNI) in an IPv6 world?
  - From: =JeffH

Prev by Date: Re: [TLS] Connection diversion to other subdomains
Next by Date: Re: [TLS] Working Group Last Call fordraft-ietf-tls-ssl2-must-not-02
Previous by thread: Re: [TLS] Server Name Indication (SNI) in an IPv6 world?
Next by thread: Re: [TLS] Server Name Indication (SNI) in an IPv6 world?
Index(es):
- Date
- Thread

Re: [TLS] Server Name Indication (SNI) in an IPv6 world?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.