[ipv6hackers] dynamic global hostname
Douglas Otis
dotis at mail-abuse.org
Tue Oct 11 20:59:52 CEST 2011
On 10/7/11 1:26 PM, Iljitsch van Beijnum wrote:
> This is pretty cool: on my Mac running 10.7 if I set a dynamic global hostname in the sharing settings, I get:
>
> dulcinea:~ iljitsch$ host dulcinea.bonjour.muada.nl
> dulcinea.bonjour.muada.nl has address 163.117.139.69
> dulcinea.bonjour.muada.nl has IPv6 address 2001:720:410:100f:7928:189c:e351:8001
>
> That's at work. At home I'm behind a pretty dumb NAT and then:
>
> dulcinea:~ iljitsch$ host dulcinea.bonjour.muada.nl
> dulcinea.bonjour.muada.nl has IPv6 address 2001:470:1f0b:1289:e8b3:2400:d959:f2a9
>
> This also worked under MacOS 10.4 but as of 10.5 IPv6 addresses were no longer registered using dynamic DNS updates because with the IETF mandate for a stateful firewall the thinking was that for IPv6 incoming sessions were even less likely to work than for IPv4, where at least there's NAT-PMP and uPNP IGD.
>
> Interestingly, most of the time my temporary address is put in the DNS but one time it was the MAC-derived address.
>
> If you want to experiment, bonjour.muada.nl accepts dynamic updates without authentication. But remember that if you enable advertising services this is exactly what happens and anyone can see what services you run on which address/port.
A service is offered by Apple using (mobile me?) where kerberos
(rfc4120) uses the Unique Local Address (ULA rfc4193) and runs a dynamic
DNS update (rfc2136) where IPsec (rfc4301) is employed for end-to-end
security. Kerberos is also used to secure DNS-SD (bonjour) stuck as an
I-D. It should not matter whether UPnP or NAT-PMP is used, athough
NAT-PMP scales without causing excessive traffic. See
http://tools.ietf.org/html/rfc6281.
BTW, it appears RDNSS and DNSSL extensions appear to exist as a set of
patches about to be released in FreeBSD version 9, along with Capsicum
sandboxing framework, AES-XTS for block level encryption (such as disk
drives) that avoids the problems of plain CBC chaining. The latest
snapshots require Itanium platforms. The release had been scheduled for
Sept 7, but appears to be running late.
-Doug
More information about the Ipv6hackers
mailing list