On Mar 9, 2007, at 2:41 AM, Brian E Carpenter wrote:
Phill,
I'm not playing with words. The style of 'connection' involved in a
SIP session with proxies is very different from that of a classical
TCP session or a SOAP/HTTP/TCP session, or something using SCTP for
some signalling purpose. And audio or video streaming over RTP is
something else again.
Java programmers that I know already open/close by DNS name without
knowing whether IPv6 is in use. But that is the plain TCP style of
session, underneath. There is a lot more than that in the network.
Once IPv4 and IPv6 converge to a greater degree, going from point A
to point B will represent a more complex journey. For DNS to better
facilitate this transition, where encapsulation or tunneling
techniques might be used, a greater amount of information could prove
useful. Much of this information may help make the IPv4 journey
transparent. The added complexity better navigates through this new
landscape and might help Phillip obtain his goals of communicating
between points A and B using multiple protocols and connections.
IPv6 Aggregatable Global Unicast Address Format allows the IPv4
address to be embedded into the IPv6 header. Neighbor Discovery uses
the 6to4 prefix in DNS. Teredo permits existing IPv4 NATs to forward
traffic, rather than expecting a NAT to perform the IPv4 to IPv6
translation. Of course there is also the IPv6 to IPv4 relays, where
the mapping might be dynamically assigned.
Despite a widely held and perhaps altruistic view that network
providers only need to be concerned about connectivity, in reality
they also have the unprofitable and undesired task of excluding
unwanted traffic. Altruism of Internet Openness must be tempered by
network provider stewardship curbing unwanted traffic. Translations
and much larger address space impinge upon this essential, albeit
thankless task. Without this stewardship, the Internet will suffer
from the bad behavior of a few, making the Internet unusable for
everyone.
Cryptography offers a solution, but only when also combined with a
safe, lightweight means for authorizing the transmitter. The most
practical means for bridging between these disparate worlds of IPv4
and IPv6 would be through the use of DNS validated names. In other
words, Name X authorizes Name Y that has been validated using
existing DNS records. An extensible means for implementing such name
based authorization could be by name hash labels. The underlying
reason for authorization is to prevent cryptographic signature replay
abuse. Constraining bandwidth currently curtails much of the
unwanted traffic while avoiding more draconian techniques.
Phillip has considered this topic more broadly and is proposing a
grander scheme. Working on a comprehensive and safe solution at this
time makes a good deal of sense. As UDP will be carrying much of the
traffic, where UDP itself is connectionless, the scope could be
generalized at the packet. Of course no scheme would be efficient on
a per packet basis.
-Doug
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf