On 15-sep-2007, at 18:42, Terry Gray wrote:
Example: Fred mentioned that it would be nice to just use some form of
host names, instead of addresses, but in the world I live in, MANY
groups are geographically dispersed and want Traffic Disruption
Appliances on each of their subnets to allow unrestricted flow among
their *blocks* of addresses --they certainly would not want to either
a) manage large lists of explicit host addresses *or* names, or b)
change their complex firewall rules whenever someone sez let's do the
Renumber Drill!
[...]
As others have said, this is not entirely a technology problem.
Usually the reason for that is that the technology isn't good enough
to solve the problem fully, which may or may not be a fundamental,
unsolvable issue.
As far as making IP addresses less visible than they are today, I
think there is a lot we can do. My day job involves creating router
configurations (in networks that aren't large enough to have
sophisticated management systems). I have to put addresses rather
than names in router configurations because when there is trouble
with the network, it may not be possible to ask the DNS to translate
a name into an address. (And there's the security issues.)
The way the DNS works today is that you ask it for a mapping, and it
returns you that mapping along with a time to live value. After that,
you need to forget the mapping and consult the DNS again. A system
that would work much better in router/firewall/etc configurations is
a system where you may ask the name resolving system for a mapping to
get you started, but once you have your mapping, you get to keep it
until the name resolving system contacts YOU and tells you something
has changed.
Such a name resolving system would have to be under explicit
administrative control, so that when my vendor that needs access to
something deep inside the firewalled core of my network changes his/
her address I as an administrator get to see that and execute a
policy (verify certificates, make a phone call, change vendors). The
issue of unreachable root servers etc becomes moot because in that
case you just keep running with the existing mapping information.
Working with names is much easier than with addresses because you can
easily allow *.example.com rather than all the individual addresses/
prefixes that Example, Inc uses around the world.
blah.vendors.example.com could also point to mothership.blah.com so
you only need to allow *.vendors.example.com rather than a long list
of vendors.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf