[118439] in North American Network Operators' Group
Re: ISP customer assignments
daemon@ATHENA.MIT.EDU (Mark Andrews)
Wed Oct 21 22:39:37 2009
To: "Ricky Beam" <jfbeam@gmail.com>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Wed, 21 Oct 2009 17:37:02 EDT."
<op.u156b0mztfhldh@rbeam.xactional.com>
Date: Thu, 22 Oct 2009 13:38:39 +1100
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <op.u156b0mztfhldh@rbeam.xactional.com>, "Ricky Beam" writes:
> On Tue, 20 Oct 2009 19:38:58 -0400, Bill Stewart <nonobvious@gmail.com>
> wrote:
> > ... If you've got a VPN tunnel device, too often the remote
> > end will want to contact you at some numerical IPv4 address and isn't
> > smart enough to query DNS to get it.
>
> As I was told by Cisco, that's a security "feature". Fixed VPN endpoints
> are supposed to be *fixed* endpoints. Yes, it is a pain when an address
> changes, for whatever reason. But relying on DNS to eventually get the
> endpoint(s) right is an even bigger mess... how often is the name<->IP
> updated?
It should be automatically updated by the end point. We do have
the technology to do that.
> how often do the various DNS servers revalidate those records?
If you are talking about caching servers then they will honour the
TTL in the records.
> how often do the VPN devices revalidate the names?
At startup. A well designed VPN protocol will support end point
address mobility.
> what happens when the dns changes while the vpn is still up?
This should be transparent to everything other than the vpn end
points.
> I'll stick with entering IP addresses.
>
> --Ricky
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
