fosdem 2020 bruxelles ipv6 llu endpoint support in dns
play

FOSDEM 2020 Bruxelles IPv6 LLU Endpoint Support in DNS .. and its - PowerPoint PPT Presentation

Scope & Objectives Scoped IPv6 Address Support Qualifying the DNS (stub) Resolver Case Studies & Outlook Backup Slides Literature FOSDEM 2020 Bruxelles IPv6 LLU Endpoint Support in DNS .. and its implementation in djbdnscurve6


  1. Scope & Objectives Scoped IPv6 Address Support Qualifying the DNS (stub) Resolver Case Studies & Outlook Backup Slides Literature FOSDEM 2020 Bruxelles IPv6 LLU Endpoint Support in DNS .. and its implementation in djbdnscurve6 Erwin Hofgmann feh@fehcom.de https://www.fehcom.de ( February 2, 2020) 1 / 19

  2. Scope & Objectives at the Frankfurt University of Applied endpoint addresses for DNS stub resolvers and application using those 5. Use cases and outlook The achieved results are partially based on my lectures ’Moderne Netzstrukturen’ given Sciences and ’Distributed Systems’ given at for servers the Vietnamese German University in Hoh-Chi-Minh City while applying those to DJB’s routines and enhancing them for missing functionality, like IPv6 support. Some more details about the IPv6 protocol can be found in my book ’ Technik der IP-Netze ’ (German only). 4. Integration of IPv6 LLU 3. Applying IPv6 LLU support Scoped IPv6 Address Support ’C’ routines for IP address parsing, socket calls together with byte & string Qualifying the DNS (stub) Resolver Case Studies & Outlook Backup Slides Literature Outline djbdnscurve6 is a fork of Daniel Bernstein’s djbdns with focus on complete user space IPv6 support. It is based on the fehQlibs library providing the required handling. The fehQlibs also include an DNS stub resolver library. Using these services libraries, DNS servers and DNS resolvers can effjciently use IPv6 LLU endpoint addresses for DNS message exchange. Topics: 1. Short history and coverage of fehQlibs and djbdnscurve6 2. Benefjts of using IPv6 LLU endpoint addresses for DNS 2 / 19

  3. Scope & Objectives TCP UDP EDNS0 CurveDNS n/a walldns - Scoped IPv6 Address Support - dnscache (resolving) axfrdns n/a n/a n/a Table: DNS server modules in * and their capa- bilities (n/a: not applicable) Client dnsip - dnstxt digital signatures as available in DNSSec. problem of the ’ Byzantinean Generals ’ [3] for ’Distributed Systems’ without using their capabilities Table: DNS client modules in djbdnscurve6 and - - - - - dnsname - - dnsmx - - - rbldns created a fork s/qmail , over the last including native IPv6 support and – has been refactored entirely, DNS implementions of DJB – djbdns fehQlibs [5]. with Kai Peter the so-called qlibs or two years I published on collaboration von Leitner (fefe) [6]. implementation of CurveDNS for the up-to-date; among others, like Felix SW of Daniel J. Berstein (DJB) History and coverage of fehQlibs and djbdnscurve6 Literature Backup Slides Case Studies & Outlook Qualifying the DNS (stub) Resolver also providing an integrated 3 / 19 dnscache server [4]. EDNS0 together with fehQlibs-12c . (Vers 3) Server - TCP UDP - tinydns CurveDNS • Since now 20 years I try to keep the ✓ ✓ ✓ • Apart from qmail , for which I have ✓ ✓ ✓ ✓ ✓ • Applying that library, the existing ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ • Current release is djbdnscurve6-36a ↪ Goal was an implementation of DNS caching server, dealing the well known

  4. Scope & Objectives addresses to be the endpoint of a DNS published in DNS (whether in forward or reverse tree), because they have only local (to the connected link) sig- nifjcance [WIP-DC2005]. RFC 4471 [11] simply expresses the im- possibility to provide successfully limited- scoped IPv6 addresses outside the link- local segment. Case 2: IPv6 LLU endpoint addresses Nobody forbids us from using IPv6 LLU service. unique local addresses in Appendix A. However, we have to solve two distinct problems: 1. The DNS server must be able to posses knowledge of the respective Interface Index : fe80::53%eth0 . 2. The DNS (stub) resolver must be interface a DNS server is reachable given its IPv6 LLU address. in this talk using the particular DNS imple- mentation of djbdnscurve6 as a blueprint; but not requiring those. Scoped IPv6 Address Support Link-local addresses should never be with discussed Qualifying the DNS (stub) Resolver Case Studies & Outlook Backup Slides Literature Why IPv6 LLU support for DNS? (raison d’être) The use of IPv6 Link Local Unicast (LLU) addresses in the context of DNS is not very clear described. Here, we have to distinguish two general cases: Case 1: IPv6 LLU addresses in Zone fjles 2.1. Limited-Scope Addresses The IPv6 addressing architecture [RFC4291] includes two kinds of local- use addresses: link-local (fe80::/10) and site-local (fec0::/10). The site- local addresses have been deprecated [RFC3879] but are 4 / 19 bind to an IPv6 LLU address; thus supplied with a hint via which ↪ Solutions for these challenges are given

  5. Scope & Objectives DNSSL . including DNS information network confjguration by means of router advertisements (RA); Figure: Principal of IPv6 SLAAC and subsequent provisioning of Scoped IPv6 Address Support ceived. the ICMPv6 message was re- the link-local segment at which ciate the IPv6 LLU address with ing this information may asso- The client receiv- used here. kind of IPv6 address shall be RFC 8106 does not state, which 5 / 19 their IPv6 address and Literature Servers RDNSS given ploy RA option 25 allowing to de- RFC 8106 [15] defjnes the IPv6 LLU addresses. information. In particular, the IPv6 routers are reachable on the local link segment via Router Advertisements (RA) are used to provision the nodes with confjguration After a successful Stateless Address Autoconfjguration (SLAAC) of the IPv6 node, IPv6 SLAAC and Router Advertisements Backup Slides Case Studies & Outlook Qualifying the DNS (stub) Resolver Link prefix = p IPv6 addr = Y MAC addr = a IPv6 addr = X Link token = <a> sub net 1 Router sub net 2 (e.g. Ethernet) 1 NS NS • a list of Recursive DNS 2 RS RA 3 MA: Multicast Address IPv6 {..., Source IPv6 addr = :: (Unspecified address), • a DNS Search List Target IPv6 addr = ff02::1:ffLId , (SNMA address) 1 NS [Type = 135, ..., ]} (no MAC address as option!) IPv6 {..., Source IPv6 addr = fe80::<a> (LLU address) , Ziel-IPv6-Adr = ff02::2 (All Routers MA) , ..., 2 RS [Type = 133, ..., Option (Source MAC addr = a)]} IPv6 {..., Source IPv6 addr = X, Option 25 Target IPv6 addr = ff02::1 (All Nodes MA) ..., 3 RA [Type = 134, ..., Option (RDNSS [IPv6], DNSSL)}

  6. Scope & Objectives ff02::1:ff /128 ff01::2 All-Router MC /128 ff02::1 All-Node MC /104 Solicited-Node MC ff01::fb /8 ff Multicast (MC) length Prefjx Net ID Type mDNSv6 MC [RFC 6762] /128 Scoped IPv6 Address Support /96 Table: Systematic of IPv6 addresses [10] /128 :: Unspecifjed /128 ::1 Loopback ::ffff Site-local Unicast SLU IPv4-mapped IPv6 /7 Unique-Local Unicast ULA fc00 /10 fe80 Link-Local Unicast LLU /10 fec0 Figure: Overview of the IPv6 address hierarchy 6 / 19 under- addresses telling to which interface standing of the purpose of an IPv6 hierarchical a has IPv6 Literature dex or Interface Name for a suc- additionally supplied Interface In- Using the scoped IPv6 address for socket binding to bind with. for IPv6 link local unicast (LLU) Backup Slides socket call; defaulting to ’ 0 ’ except the to Index Interface an add this requires to communication, For TCP/UDP socket address given the fjrst bits in here: particular the automatic Solicited IPv6 carries the idea to have scoped Qualifying the DNS (stub) Resolver Node Multicast Address (SNMA). particular scope). addresses. Case Studies & Outlook global, site- and link-local). Global Globaler Unicast : 2000::/3 unique route-able Link Local Unicast : within the IPv6 Internet ULA solely useable in local fc00::/7 link segment; autonomous Unique Local Unicast : derived, not unique; LLU requires interface index unique and route-able fe80::/10 in local link-segments Unspecified address: Host used as sender address ::/128 for multicasts ↪ IPv6 LLU addresses require an cessful binding: fe80::53%eth0 • ↓ Multicast addresses and in • ↕ Unicast addresses (with scope • ↑ Unspecifjed address (without a

  7. Scope & Objectives monly to IPv4 and IPv6 addresses in order tion ’ socket_getifidx ’ in order to derive this from the Interface Name . Dual Stack binding: For IPv4, there exist the convenient nota- tion to specify a ’0’ in order to bind to all available IPv4 addresses upon call. It is desirable for DNS servers to bind com- to supply the identical information to any face given its Interface Index (aka scope clients asking the server, irrespectively if the query arrives via IPv4 or IPv6. as ucspi-ssl , I’ve chosen the abbreviation ’ :0 ’ to provide native dual-stack binding. Some care needs to be taken in order to set the correct socket options for the target OS allowing this. Loopback interfaces: Scoped IPv6 Address Support index ). We can use the IPv6 socket func- 7 / 19 dresses by two difgerent schemes: Qualifying the DNS (stub) Resolver Case Studies & Outlook Backup Slides Literature Interface Index & Dual Stack binding Interface Index and binding: For any servers, in particular DNS servers, fe80::53%eth0 we can realize binding to IPv6 LLU ad- 1. We may include the Interface name as additional argument together with the IPv6 address upon call: tcpserver -Ieth0 fe80::1 2. We could use a composite IPv6 address including both the address and the Interface Name linked with the usual ’%’ (percent) sign (similar to a prefjx notation): ↪ In djbdnscurve6 and ucspi-tcp6 as well ↪ The kernel requires to bind to the inter- • IPv4: 127.0.0.1 • IPv6: ::1 (global scoped) • IPv6: fe80::1%lo0 (local scoped)

Recommend


More recommend