Network2/Design: Difference between revisions
mNo edit summary |
|||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
{{Network2 header}} |
|||
== IPv6 Configuration == |
== IPv6 Configuration == |
||
Prerequisite concepts: [[Network2/Concept/Peer|peer]], [[Network2/Concept/Server|server]], [[Network2/Concept/IPv6|IPv6]], [[Network2/Concept/Link|link]], [[Network2/Concept/Router|router]], [[Network2/Concept/Prefix|prefix]], [[Network2/Concept/Tunnel|tunnel]], [[Network2/Concept/dnshash|dnshash]] |
|||
'''Peers:''' |
'''Peers:''' |
||
Line 24: | Line 26: | ||
== DNS Configuration == |
== DNS Configuration == |
||
Prerequisite concepts: [[Network2/Concept/Server|server]], [[Network2/Concept/Discovery|discovery]], [[Network2/Concept/Presence|presence]], [[Network2/Concept/Authentication|authentication]] |
|||
One of the server's most important jobs is to get itself on appropriate internetworks so that it can dynamically map stable (DNS) names to unstable names (IPv6 addresses) for itself and its peers. |
One of the server's most important jobs is to get itself on appropriate internetworks so that it can dynamically map stable (DNS) names to unstable names (IPv6 addresses) for itself and its peers. |
||
Line 39: | Line 42: | ||
(NB: In order to perform this update, it will usually have been necessary for the peer to have been cryptographically introduced to the server.) |
(NB: In order to perform this update, it will usually have been necessary for the peer to have been cryptographically introduced to the server.) |
||
== Unfinished Ideas == |
|||
==== Security ==== |
|||
This ''optional'' section is included merely to offer some hints about where we think communications security ought to be headed. |
|||
# Spoofing, Integrity, Confidentiality. See [[communications security]] and [http://passpet.org/ petnames] for some background. A very rough road along which something reasonable ''might'' lie: |
|||
#* Use [http://dev.laptop.org/git/projects/barcode physical introduction] to CNAME <tt>cscott.michael.laptop.org</tt> to <tt>''<key>''.cscott.laptop.org</tt>. |
|||
#* Then, my [http://dnscurve.org dnscurve]-compatible DNS resolver will refuse to give me addresses unless the nameserver I contact for cscott proves knowledge of cscott's private key. |
|||
#* Then I have a nice basis with which to configure IPsec security associations. |
|||
# System Integrity |
|||
# DoS |
|||
==== Performance ==== |
|||
Wad points out that people writing software are probably going to want some help figuring out what routes are ''best'' to use. (e.g. in terms of bandwidth, latency, jitter, integrity, confidentiality, availability, ...) |
Latest revision as of 06:01, 29 July 2009
IPv6 Configuration
Prerequisite concepts: peer, server, IPv6, link, router, prefix, tunnel, dnshash
Peers:
Your job is to be an IPv6 node. Consequently, when you bring up your interfaces,
- You might discover an IPv6 router advertising on one of your links.
- (See sysctl net.ipv6.conf.all.accept_ra and related variables.)
- You might try out dhcp6c.
- You might have some kind of IPv4 connectivity. If so, connect to the Internet or to other internetworks of your choice.
- Use dnshash to add guessable link-local addresses to all your interfaces.
Servers:
Your job is to be an IPv6 router and a DNS server. One of several situations might obtain:
- You might discover an IPv6 router advertising one or more IPv6 prefixes on your outbound link(s).
- You might have some kind of IPv4 connectivity. If so, connect to the Internet or to other internetworks of your choice.
- You might be under a tree. If so, generate a Unique Local Address prefix.
- (Use dnshash to add guessable link-local addresses to all your links?)
When done, use radvd or dhcp6d to share addresses.
DNS Configuration
Prerequisite concepts: server, discovery, presence, authentication
One of the server's most important jobs is to get itself on appropriate internetworks so that it can dynamically map stable (DNS) names to unstable names (IPv6 addresses) for itself and its peers.
Discovery:
Peers need help locating one or more DNS servers. See RFC 4339 for available mechanisms; pay particular attention to RDNSS discovery.
Update
Here are two approaches for solving the update problem, based on how peers might want to communicate with DNS servers:
- Use a DNS UPDATE client like ipcheck or ddclient with shared keys with a DNS server like BIND.
- Run a bespoke control protocol over an existing secure tunnel, e.g. something based on with XML-RPC over HTTPS + client certs or on access to a restricted shell over SSH.
(NB: In order to perform this update, it will usually have been necessary for the peer to have been cryptographically introduced to the server.)