Date: Thu, 24 Aug 2006 13:42:29 -0500 From: Brooks Davis <brooks@one-eyed-alien.net> To: Fredrik Lindberg <fli+freebsd-net@shapeshifter.se> Cc: freebsd-net@freebsd.org, Pat Lashley <patl@volant.org>, Doug Barton <dougb@freebsd.org> Subject: Re: Zeroconfig and Multicast DNS Message-ID: <20060824184228.GC37561@lor.one-eyed-alien.net> In-Reply-To: <44EDF116.9050106@shapeshifter.se> References: <3E654CC0217F90E20FCD806E@garrett.local> <44EC90B7.6090908@shapeshifter.se> <44ECB0F2.9040300@FreeBSD.org> <44ECBB61.9020808@shapeshifter.se> <5D7785ADC030FEBFB9A5E69D@garrett.local> <44ED8266.1060303@shapeshifter.se> <7C6CDF1CB0BC58A6ADE1FCA8@garrett.local> <44EDCEC2.7060109@shapeshifter.se> <93381966E13B960D4ACFF05C@garrett.local> <44EDF116.9050106@shapeshifter.se>
next in thread | previous in thread | raw e-mail | index | archive | help
--Y5rl02BVI9TCfPar Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 24, 2006 at 08:33:58PM +0200, Fredrik Lindberg wrote: > Pat Lashley wrote: > >>> Things get a bit more complex for multi-homed hosts; especially if th= ey > >>> are connected to more than one local link using IPv4 Link Local > >>> Addressing... > >> > >>Well, I already have a proof-of-concept of this running a multi-homed > >>responder and hosts on both ends resolve the addresses correct. > >> > >>A multi-homed host with two interfaces configured in 169.254/16 will > >>have other major problems beyond mDNS as the host would threat > >>both interfaces as being on the same net even if they are > >>physically separated. > > > >And that's one of the things that we'll have to fix if we want LLA and= =20 > >mDNS to work correctly. The default should probably be to assume that=20 > >they are separate; but to recognize if they are in fact on the same=20 > >link. That should be easy enough to do since the LLA packets sent out on= =20 > >one interface will be seen by the other one when they are on the same li= nk. > > >=20 > Um...I'm not sure if this is even possible. Let's forget mDNS and > go back to basic IP. > Say a multi-homed host has two interfaces both configured with an > address in the rage 169.254/16, say 169.254.1.1 and 169.254.2.1 and > it wants to initiate a connection to 169.254.3.1, how on earth should > it be able to tell on which side 3.1 is located? There might even be > one 3.1 on both side that could be completely different hosts. You probably would need an extension similiar to the one for IPv6 LLAs. i.e. the %bge0 in fe80::2e0:81ff:fe31:9f00%bge0. > >>> As I mentioned in an earlier posting, I would really like to see it > >>> support multiple TLDs for a single host. In particular, if I'm using > >>> example.com, then mumble.local and mumble.example.com should both > >>> resolve via mDNS to the IP address of host mumble. Similarly, services > >>> advertised by host mumble should automatically be listed in both=20 > >>domains. > >> >=20 > Ok, some kind of alias that will propagate for all records. I don't > have a good solution to it yet, I need to think about this but I do > get your point (and I can see the benefit with it). >=20 > >>Well, $(hostname).example.com. A $(ifaddr) :) > >>You would have to configure the NSS module to allow .com queries too. > > > >The NSS module shouldn't have to know which domains mDNS is handling. It= =20 > >should just attempt to resolve the FQDN given, using mDNS. If it fails,= =20 > >resolution will fall back to the next module listed in nsswitch.conf. (I= =20 > >envision the default as being: files mdns dns) >=20 > This suggestion is VERY VERY dangerous. Any responder on the network > could very well decide to respond to for example www.google.com (or to > the address of your internet banking site). What you see in your browser > would be www.google.com and the page might look like google but you > won't be at the site you think. Having the responder resolve names > with real TLDs means that it will resolve names that it does not have > the authority over. >=20 > The nsswitch.conf should IHMO be :files dns mdns, and the mdns nss > module should ship with a default to only allow queries to > .local > .168.254.in-addr.arpa > .168.192.in-addr.arpa > .16.172.in-addr.arpa-31.172.in-addr.arpa > .10.in-addr.arpa >=20 > And whatever set of IPs that are assign as link/site-local for IPv6, > I don't remember them at the moment. > However it should be possible for a user to add whatever TLD he/she > wants or disable the restriction all together. But the default should > be restricted to prevent name spoofs. Agreed. In most environments a spoof will still be possible, but it would be harder and would require traffic that is detectable by a good IDS. -- Brooks -- Brooks --Y5rl02BVI9TCfPar Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE7fMUXY6L6fI4GtQRAiAAAJwM7/H/dmHGVThi4Fy2q2Vx5AaAyQCgmFWp A5VSFgjMEUgMNpgfYUqY/gw= =PBA+ -----END PGP SIGNATURE----- --Y5rl02BVI9TCfPar--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060824184228.GC37561>