[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] Fwd: I-D ACTION:draft-richardson-ipsec-rr-01.txt




> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
> >>>>> "Mark" == Mark Andrews <Mark.Andrews@isc.org> writes:
>     Mark> 	There is no formal identifation of the gateway type in the
>     Mark> 	master file format.  This is bad as it could lead to the
>     Mark> 	gateway field be misinterpreted.
> 
>   You mean, for instance, that I could write: 192.139.46.38, meaning the a
> subdomain of this newly created ICANN TLD of ".38"? 

	If the current $ORIGIN is example.net is "192.139.46.38"
	IPv4 address 192.139.46.38 or hostname 192.139.46.38.example.net?
 
>   Or that it could somehow get confused into thinking that I really meant the
> IPv6 address ::192.139.46.38. 

	You can't confuse IPv6 and IPv4 address literal with each other.
	However is ::192.139.46.38 the IPv6 address ::192.139.46.38 or
	::192.139.46.38.example.net?
 
>   I'm certainly open to additional syntax - do you have a suggestion?
> 
>   I'm also open to a more formal grammar for the presentation format. Oops, I
> thought that I actually used that wording. I think that I should, based upon
> other documents... oh wait, it says it one line up, but the document
> formatting of the draft is a little screwy there.
> 
>     Mark> 	Is 1.2 a IP address or a unqualified domain name?
>
>   oh, took me a bit. I thought you meant section 1.2, and that this was a new
> question.
>   I think that only fully qualified domain names should be given:
> 
>    3  A fully qualified domain name is present in the gateway field.
>       The name a %lt;domain-name%gt; encoded as described in section 3.3
>       of [4].  This field occupies the space until the end of the RDATA.
> 
>   In the presentation format, I can see that maybe it is reasonable to let
> the program reading it qualify it... do you have a suggestion on how we can
> distinguish things?

	No.  "1.2" is a example of a IPv4 address,  1.2 is 1.0.0.2 when
	expressed as a dotted decimal quad.

	I was just after a example that would inject as much confusion as
	possible and succeeded.

	Actually after thinking about the unknown RR the domainname in
	the gateway field MUST always be *treated* as fully qualified
	and case MUST be preserved othewise the signatures will be wrong.
	This is a unknown RR for those serves that implement unknown RRs.
	Saying that the field is to be treated as fully qualified should
	result in the case being preserved but it doesn't hurt to reiterate
	the point.

	This still leave confusion with respect to tlds so there still
	needs to be flag word identifying the field.
	* -/D/A? (let the parser work out the address type)
	* -/D/A/AAAA? (tell the parser the address type)

	I would also prefer the fields in the presentation form to be
	in the same order is the wire form.  Less confusion.

	Mark
	
>     Mark> 	As for IP addresses you should restrict them to dotted decimal
>     Mark> 	quad (this implies no leading zeros).
> 
>   Sure.
> 
> ]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls 
>  [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architec
> t[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device drive
> r[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy");
>  [
> - -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: Finger me for keys
> 
> iQCVAwUBPi3b7oqHRg3pndX9AQGmuQQAjHjPsFCkUL2eR+ywdUR2QU4saNREmDE9
> iX9Hx2Pf7VspATKXcMYzzFxdgy9ojnnvMa1KTEnCZky3b1+2k/7urBm2sGcDaBXj
> CDt4SjOnu95RleZhbXRubqJ1uvXvE4Dh9Eeh6QgetZ+nlgijPnlodOzGqF2ukikp
> sZcR5k9qMQM=
> =qDkx
> - -----END PGP SIGNATURE-----
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: Finger me for keys
> 
> iQCVAwUBPi3cAoqHRg3pndX9AQFHUwP/TUGb6Hj5XsWcat2Hdk81+bqOu/2PNY0Y
> +/2TNpfnzmDikVGocqIiabhwcto/lw//EDGfgR8OqPGCSrUkppQApeGoUMFl8YZi
> nk7PtWUUfYNRLX4pSrDXVZwVVaf0G/z8IjI4gT/Ir+a8U7J2xkQr0M041eCRFmv9
> S1rkYaHCr/c=
> =I3S9
> -----END PGP SIGNATURE-----
> -
> This is the IPSECKEY@sandelman.ca list.
> Email to ipseckey-request@sandelman.ca to be removed.
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews@isc.org
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.