[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 5006 status

To: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: RFC 5006 status
From: james woodyatt <jhw@apple.com>
Date: Fri, 19 Mar 2010 18:25:30 -0700
Cc: 6man Chairs <6man-chairs@tools.ietf.org>
In-reply-to: <20100320101602.1c695dc1@opy.nosense.org>
References: <C7C67F1D.37A5F%alain_durand@cable.comcast.com> <BAB50883-C74A-4EEE-A9CE-9F5180C0B7C2@employees.org> <80B618A6-699D-429E-A890-E4B73BA2BA84@apple.com> <750BF7861EBBE048B3E648B4BB6E8F4F12257D01@crexc50p> <741F78FD-E6A4-4C48-A018-64ED02828388@apple.com> <20100320101602.1c695dc1@opy.nosense.org>

On Mar 19, 2010, at 16:46, Mark Smith wrote:
> On Fri, 19 Mar 2010 12:27:04 -0700 james woodyatt <jhw@apple.com> wrote:
>> 
>> The interesting part happens when the delegated prefix changes, e.g. when I switch the WAN uplink from one network to another.  The addresses of the DNS servers available to hosts on the LAN link changes.  This gets reflected quickly in the RDNSS options that the router sends, and the hosts with RFC 5006 clients updates their DNS resolver configurations immediately.  Since I don't have any hosts with *only* a DHCPv6 client and no RFC 5006 client, I'm not sure what happens to such hosts when their DNS server addresses need to be changed away from the ones they learned from their DHCPv6 lease.  I suspect they just keep using the addresses they were initially offered until their lease expires, and this will produce suboptimal user experience until they go to renew.
> 
> I think that issue would be resolved by having your CPE use it's LAN
> interface ULA addresses to announce it's local DNS resolution service.
> Doing that isn't explicitly mentioned in the basic CPE draft, however as
> the CPE's DNs resolution service is an optional 'site local' service, I
> think using the CPE's LAN interface ULA address to announce it would
> make sense, and avoid the issue you mention.

That might work fine for routers that are integrated with their own DNS forwarding servers.  The interesting case is routers that *DO NOT* have integrated DNS servers, which if I recall correctly, the current CPE router draft implicitly assumes.

In those cases, when the service provider moves the DNS servers, or when the WAN link is dropped and reacquired at a new connection point with a different delegated prefix and new DNS servers, the hosts on the LAN need to have their resolver configurations renumbered.  The RDNSS option in router advertisements permits this to happen immediately after reattaching to the service provider network for every host on the LAN with a short burst of link-local multicast packets, but DHCP requires a Reconfiguration message to be unicast to every client, which implies that all the hosts on the LAN are required to implement not just DHCP6, but DHCP Authentication.  Any hosts that can't do DHCP Authentication won't get their resolvers reconfigured until they renew their lease.  Bletch.

I think RFC 5006 is a much simpler solution for this scenario.  But I recognize that there are people who think that every IPv6 network, *everywhere*-- even the ones in our own homes-- should have *every* interface address managed and firewalled six ways to Sunday, in case the secret police come calling and wish to inspect the premises for evidence of terrorist activity.  I really don't know what to say to those people anymore.

--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

Follow-Ups:
- Re: RFC 5006 status
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: RFC 5006 status
  - From: Doug Barton <dougb@dougbarton.us>

References:
- Re: RFC 5006 status
  - From: "Durand, Alain" <alain_durand@cable.comcast.com>
- Re: RFC 5006 status
  - From: Ole Troan <otroan@employees.org>
- Re: RFC 5006 status
  - From: james woodyatt <jhw@apple.com>
- RE: RFC 5006 status
  - From: "STARK, BARBARA H (ATTLABS)" <bs7652@att.com>
- Re: RFC 5006 status
  - From: james woodyatt <jhw@apple.com>
- Re: RFC 5006 status
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>

Prev by Date: Re: I-D.ietf-v6ops-cpe-simple-security-09
Next by Date: Re: RFC 5006 status
Previous by thread: Re: RFC 5006 status
Next by thread: Re: RFC 5006 status
Index(es):
- Date
- Thread