Print

[grunnsat]

Hi all,

There is one aspect of the IPv6 network behind a CE router that I still haven't been able to understand, and that has to do with the DNS names of the equipment on the home network.

Let me start with the IPv4 situation.
With IPv4 all the equipment on the LAN side of my router has a DNS entry on the router. On the LAN side I can make a connection from one device to another by using its DNS name. Obviously all these devices have IP numbers in the private IP address range.
The port on the WAN side of the router has a unique IP address (94.212.60.20) and a somewhat cryptic dns name (5ED43C14.cm-7-5a.dynamic.ziggo.nl). That name can change, and is difficult to remember. So I gave it an alias (vmshome.homedns.org).
The only way I can reach any device on my LAN from the internet with IPv4 is by using the dns name, or the alias, or the IP address of the WAN port of the router with a port number (port forwarding), providing I have set up port forwarding of course.
For the IPv4 internet I don't have a LAN, and I have no devices on that LAN. The only thing I have is an end-node with the IP address and names of the WAN port of the router.
Obviously, you know all this.

And now the IPv6 situation.
On the LAN side it's all the same as with IPv4. All the IPv6 enabled equipment has DNS names on the LAN side of the router, and I can make IPv6 connections by using these DNS names.
The port on the WAN side of the router has an IPv6 address (2001:470:1f14:386::2). Actually it is the end-point of a HE tunnel, but let's pretend it is the WAN port. The alias (vmshome.homedns.org) also points to this address.
Now we get to the more difficult part. On the LAN side I have a network with the IPv6 prefix: 2001:470:d377::/48, so all my IPv6 equipment has one or more unique IPv6 addresses. But now I want to reach one of those devices from the internet (assuming the router firewall has been set up properly). In order to do so I need a DNS name, using the IPv6 address of that equipment is extremely impracticable. But there are no DNS names for my home equipment to be found on the internet.

How and where am I suppose to register the DNS names of my IPv6 enabled home equipment? Being able to connect to IPv6 devices on my home network is one of the advantages of IPv6, but without DNS names that is not really possible.

Should the CE router have a DNS server on the WAN side? Should the CE router be able to send DNS updates to the DNS server of my ISP? Or should it send the updates to an alias organization like Dyndns? I suppose I should have my own domain name, and the DNS entries should be added to that domain?

I haven't been able to find anything on this subject. Are there any RFC's on this matter, or ........

Can any one explain to me how this is suppose to work, or point me to literature on this subject? I really would like to know this.

[broquea]

You buy a domain and get your own forward dns control, or ask for more AAAA records in that homedns.org zone?

[grunnsat]

Sure, I can do something like that.

But I'm looking for a more conceptual solution usable for any consumer. What's the point of having devices with unique IPv6 addresses, directly reachable from the internet, but without the DNS names to do so? Some one must have thought about this I hope?

[cholzhauer]

I assume at that point, once the addresses are handed out by the ISP, they world take care of it

[grunnsat]

No, the ISP doesn't hand out addresses. The ISP hands out an address range to my router. At the moment HE functions as my ISP (for IPv6), and I got the address range 2001:470:d377::/48. The router sets up /64 networks from this address range. My primary network is 2001:470:d377:0::/64, and all my IPv6 devices are configured in this network and registered by the router. That is why DNS works on my LAN, all IPv6 devices are registered with a DNS name in my local LAN. Such a name can be alpha1.fritz.box. My local domain name on my LAN is fritz.box, the default domain name for a AVM Fritz!box router. The server name is Alpha1. Obviously I can not use the fully qualified name alpha1.fritz.box on the internet, since the fritz.box domain is not registered there.

In my view there should be something like a my_domain.my_ISP.com domain, and my router should be able to register the IPv6 nodes in that domain. Using the previous example, the server Alpha1 should be registered as alpha1.my_domain.my_ISP.com by using automatic dynamic DNS updates from my router.

[kasperd]

Should the CE router have a DNS server on the WAN side?

That is one way to do it. A drawback of this approach is that a DNS server on your router is less reliable than what we have come to expect from DNS where authoritative servers for a zone are usually spread across 2-3 different datacenters. But if the zone is used only for hosts behind the same router, then that may not be much of a problem. It just means clients would see DNS lookups failing instead of DNS lookups succeeding followed by connections to the address failing.

Another drawback is that the name changes for devices that move around between different networks. Say you want your phone to connect to your laptop. Works fine at home, but if you are on a different network it fails because their names are now in a different zone.

Should the CE router be able to send DNS updates to the DNS server of my ISP?

That's another way to do it. In your specific case the ISP would be HE, and HE does have a DNS service, which I think it is capable of doing this.

But the problem with names changing would still be present if the devices don't stay within the same ISP.

Or should it send the updates to an alias organization like Dyndns?

That is also a possibility, and probably a better one. Works better as devices are moving between ISPs. I believe the HE DNS service can be used in that case as well. As far as I know it will behave the same regardless of whether the updates come from inside the HE network or from outside.

I suppose I should have my own domain name, and the DNS entries should be added to that domain?

Having your own domain would be a good idea. A subdomain under a dyndns provider will work as well, if the dyndns provider have sufficient features to make it work. Using your own domain is better, if you can afford it.

I haven't been able to find anything on this subject. Are there any RFC's on this matter

I have seen one or two RFCs/drafts on the requirements for CPE in an IPv6 environment. It may mention something about this. It may however be that it only mentioned mDNS for use to establish connections between nodes in the same LAN.

What's the point of having devices with unique IPv6 addresses, directly reachable from the internet, but without the DNS names to do so?

There still is a point. Even if connections are only established from your LAN towards the Internet, it will still work more reliable if each device has its own address. And this is the scenario that most ISPs care about. For the most part they don't care about connections from the Internet to the LAN.

But you don't need this DNS service being provided by the ISP in the first place, you can use it from any provider with appropriate DNS services. And I guess you'll soon find providers offering a much better service than most ISPs. Besides if you want devices to be able to move freely between multiple ISPs and still be accessible through the same name, there isn't much point in expecting the ISP to provide the service.

Woohoo 500 posts :-)

[grunnsat]

Using a DNS server on the Wan side(s) of the CE router would actually be a bad idea. I only mentioned it as a theoretical possibility. In general I have no confidence in the quality of CE router software, and in the ability of the consumers to update their routers with new firmware, if and when available. Vulnerabilities in the CE router DNS server software could endanger the quality of the internet infrastructure as a whole.

I agree that mobile devices like telephones are a special problem. However I also know that IPv6 has special functionality for mobile devices. I don't know if that functionality can help us with this problem, that should be investigated.

Indeed at the moment HE is my IPv6 ISP, so registering my devices in their DNS servers would be the most logical approach since my addresses are in their address space. And I do think they have such a service, but I still have to to find a way how to do it, it is not done automatically by my router.

Registering the devices with an alias DNS server like Dyndns has some advantages like you described. However the disadvantage is that reverse name lookup doesn't work, so you can't find a DNS name when you enter an IPv6 address. In my view an alias should be an alias for another existing primary name, and with this solution there is no primary name.  

You are right that ISPs don't think about getting access from the internet to consumer devices. However that attitude will have to change. Consumers will want to access home automation devices from the internet. You're at your office, and before you go home you want to switch on the central heating. Or you want to access surveillance camera's at your house. Or you want to program your TV to record a program. Or, or, or........ After all that is one of the advantages of and ideas behind IPv6.

I'm using HE for my IPv6, because my ISP (ziggo.nl) is one of those zombie ISPs who take forever to supply us with native IPv6 addresses. I do think we should get our own sub-domain within the ISP domain, in fact that is the only logical way to set this up. If I would like to register my NAS, it would not be very likely that I could register it as nas.ziggo.nl. However nas.grunnsat.ziggo.nl is possible, just as tv.grunnsat.ziggo.nl etc.

Where you want to register the devices, at your ISP(s) (there are CE routers with two WAN ports for two ISPs!) and/or an alias DNS server like Dyndns, is one thing. How to register the devices there is another subject. In my view it should be done automatically by the CE router, but so far I haven't been able to establish if there are routers that can do that, or if there are RFCs dealing with this subject.

I can't imagine I'm the first one in the whole world who is thinking about this ....  

And congratulations with your 500 postings    

[kasperd]

In general I have no confidence in the quality of CE router software, and in the ability of the consumers to update their routers with new firmware, if and when available. Vulnerabilities in the CE router DNS server software could endanger the quality of the internet infrastructure as a whole.

Relevant point. It is harder to exploit vulnerabilities in the router if it has services open to the Internet. If it only has services open towards the LAN, they become much harder to exploit remotely.

I agree that mobile devices like telephones are a special problem. However I also know that IPv6 has special functionality for mobile devices. I don't know if that functionality can help us with this problem, that should be investigated.

Those protocols aim at keeping the IP of the device static as the device is moving between networks. The way it works is by the device having a static home address and a dynamic address assigned by the network it is currently on.

As the device gets a new dynamic address it connects back to it home network to let the home network know its current location.

I do not think this feature is widely deployed. I think you have a much better chance of getting something working well, if you update the name in DNS to point to the new address.

Registering the devices with an alias DNS server like Dyndns has some advantages like you described.

Usually you have an IP address in the records at the dyndns provider, not a CNAME. You can have your own domain name and make a record there, which is a CNAME for a dyndns provider. That is mainly of interest if your address changes frequently, and your primary DNS provider does not offer automatic updates.

However the disadvantage is that reverse name lookup doesn't work, so you can't find a DNS name when you enter an IPv6 address.

What options you have for setting up reverse DNS depends on your internet provider. Some providers, such as HE, let you point the NS records for reverse lookup wherever you want. Other providers have no such option and will only let you set up reverse DNS through their own interface.

If you can have both forward and reverse records on the same authoritative DNS servers, updating them simultaneously with a single API call may be easy. But you shouldn't insist on them being on the same servers, as that will restrict your options. Depending on which provider you use, it may be easier to simply consider them separately and have each of them updated through whatever means are available.

You are right that ISPs don't think about getting access from the internet to consumer devices. However that attitude will have to change. Consumers will want to access home automation devices from the internet. You're at your office, and before you go home you want to switch on the central heating. Or you want to access surveillance camera's at your house. Or you want to program your TV to record a program. Or, or, or........ After all that is one of the advantages of and ideas behind IPv6.

None of that will get ISPs to change anything about how they handle DNS. Anybody who wants to sell you devices with such features will see that ISPs are not providing the necessary DNS service, and they will provide that feature with the equipment.

I predict one of two models being used

• The device will have a build in dyndns client and will come preconfigured with a domain name. Either a dyndns service hosted by the vendor of the equipment, or a separate dyndns provider, which they are partnering with.
• You won't access the device directly, instead you'll access the vendor's homepage, and the device will communicate with the same webserver to receive commands.

I hope they'll go with the first of the two options, and that they'll let you reconfigure the device to use a different dyndns provider, if you should need/want to.

I do think we should get our own sub-domain within the ISP domain

I don't see much advantage of that compared to having your own domain. With your own domain you can move between ISPs without having to get all your devices renamed.

I can't imagine I'm the first one in the whole world who is thinking about this

I'm sure people have been thinking about it. I just don't think anybody have seen much of a need. Using some variant of mDNS to identify devices within the LAN is being considered, I think that is at the very least considered in some draft standard.

[grunnsat]

It seems the IETF has thought about this matter, and also came to the conclusion that the ISP is the most logical place for the DNS services for the home network devices.

Here are three documents dealing with this:

http://tools.ietf.org/html/draft-mglt-homenet-naming-delegation-00
http://tools.ietf.org/html/draft-mglt-homenet-front-end-naming-delegation-01
http://tools.ietf.org/html/draft-ietf-homenet-arch-06 (paragraph 3.7.3)

[snarked]

No, the ISP doesn't hand out addresses. The ISP hands out an address range to my router.

Same thing.  All this means is that you choose addresses from the range.

[grunnsat]

No, the ISP doesn't hand out addresses. The ISP hands out an address range to my router.

Same thing.  All this means is that you choose addresses from the range.

No, it is not the same thing. If my ISP would hand out the addresses with DHCPv6 or SLAAC with stateless DHCPv6, the DHCP server of my ISP would have the names and addresses of my IPv6 equipment. Since my router is handing out the addresses, my router has the names and addresses, and not my ISP.

[snarked]

If your ISP is handing out a range, they should be delegating that range in DNS for a reverse lookup to you.  Therefore, YOU have control.

[grunnsat]

Nice, but CE routers don't have a DNS server on the WAN side. It seems there is consensus now at the IETF that the CE router has to update the DNS information in the ISP DNS server, and that every client will have his/her own sub-domain in the ISP domain.