[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 w.g. Last Call on "IPv6 Node Information Queries"

On Sat, 12 Jul 2003, Robert Elz wrote:
>   | If you can't trust the guy whose NIQ's you're answering to enough that you 
>   | need to obfuscate the association between RFC3041 and non-RFC3041 
>   | addresses, you shouldn't be answering those NIQ's at all.
> Pekka, couldn't you say the exact same thing about DNS queries?

Not really..
> The two are just different mechanisms for getting the same information
> after all (well, similar information anyway, each has advantages over
> the other for different uses).
> I haven't heard anyone claiming that DNS queries should be blocked at
> site borders, because you can't trust the big outside world to know
> any of that information.

.. you don't query DNS information from the nodes themselves.  You query 
it from designated DNS servers.

Now, if NIQ mechanism would be made so that the nodes would report their
hostname<->address mappings to some site-specific registries, and one
would be able to query the data from those registries (applicable to the
policy set by the network administrator for such queries), we would be
talking about an entirely different thing.. not too far from DNS + dynamic 
updates (or IETF-specified protocol for standard Looking Glass lookups for 
certain information about routers, depending on whether you're looking at 
querying information from hosts or routers.)
> But there's absolutely nothing here that mandates that people should be
> told that they really should block all NIQ packets, any more than we
> would consider telling people that they should block all DNS packets.

Blocking them would be very much in line with the intended applicability
of NIQs as written down AFAICS.  I'd like to implement the stick
(blockage)  in addition to the carrot (nice words about applicability) in
the NIQ specification so that it's not misused.

Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to majordomo@sunroof.eng.sun.com