[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does IPv6 preclude use of a NAT gateway?

On Tue, 12 Jul 2011, Tom H wrote:
> On Tue, Jul 12, 2011 at 2:02 PM, Henrique de Moraes Holschuh
> <hmh@debian.org> wrote:
> >
> > There are routes.  Really.  Maybe not everywhere, and maybe not all the
> > time... but the IPv4 private space is often routed.
> >
> > http://www.cidr-report.org/as2.0/#Bogons
> > http://www.cidr-report.org/as6447/#Bogons
> >
> > *Right now*, there are routes for parts the private space being leaked
> > everywhere.
> 
> IANA also maintains some server(s) for RFC1918 leaks. More or less ten
> years ago, I was at a company where, one day, none of the Mac boxes
> could telnet to or mount AFP shares on the Solaris boxes because that
> IANA service was down and it was providing reverse DNS for RFC1918
> addresses...

That would be AS112.  The AS112 project provides an anycast cloud for the
three authoritative DNSes that take care of the IPv4 private, documentation
and link-local addresses.  They'll soon handle some of the IPv6 reverse
address space as well.

Note that AS112 clouds only route the IPv4 prefix 192.175.48.0/24, where the
BLACKHOLE-1.IANA.ORG, BLACKHOLE-2.IANA.ORG and PRISONER.IANA.ORG DNS servers
can be found, i.e. they do NOT provide a sinkhole for the IPv4 private
address space, just reverse DNS service.

http://public.as112.net/

http://tools.ietf.org/rfcmarkup?rfc-repository=http://www.rfc-editor.org/authors&doc=rfc6304&topmenu=true&document=draft-ietf-dnsop-as112-ops-09&docreplaces=draft-ietf-dnsop-as112-ops-09&title=RFC-EDITOR+AUTH48+REVIEW+COPY&extrastyle=body+{background-color:%23fee%3b}

And there is the "AS112 operator's relief" RFC:
http://tools.ietf.org/rfcmarkup?rfc-repository=http://www.rfc-editor.org/authors&doc=rfc6305&topmenu=true&document=draft-ietf-dnsop-as112-under-attack-help-help-06&docreplaces=draft-ietf-dnsop-as112-under-attack-help-help-06&title=RFC-EDITOR+AUTH48+REVIEW+COPY&extrastyle=body+{background-color:%23fee%3b}

Sorry about the long URLs, RFCs-to-be don't have nice short URLs (or I don't
know them).

PS: that does mean the company where you worked at had incompetent DNS
administrators (if they had any at all).

PS2: Debian ships bind properly configured by default to never leak requests
that would end up answered by AS112.  I am not sure about the other
nameservers, though.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Reply to: