We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

HashDNS and FQDNDHCP

00:00

Formal Metadata

Title
HashDNS and FQDNDHCP
Subtitle
IPv6 DNS configuration made easy
Title of Series
Number of Parts
490
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
33
35
Thumbnail
23:38
52
Thumbnail
30:38
53
Thumbnail
16:18
65
71
Thumbnail
14:24
72
Thumbnail
18:02
75
Thumbnail
19:35
101
Thumbnail
12:59
106
123
Thumbnail
25:58
146
Thumbnail
47:36
157
Thumbnail
51:32
166
172
Thumbnail
22:49
182
Thumbnail
25:44
186
Thumbnail
40:18
190
195
225
Thumbnail
23:41
273
281
284
Thumbnail
09:08
285
289
Thumbnail
26:03
290
297
Thumbnail
19:29
328
Thumbnail
24:11
379
Thumbnail
20:10
385
Thumbnail
28:37
393
Thumbnail
09:10
430
438
Direct numerical simulationConfiguration spaceComputer networkTape driveAddress spaceImage resolutionInternetworkingServer (computing)Thread (computing)Vertex (graph theory)Dynamic Host Configuration ProtocolTime domainClient (computing)Query languageRepetitionSoftware developerGroup actionInterface (computing)Virtual machineRow (database)Direct numerical simulationWeightDomain nameServer (computing)Domain nameSet (mathematics)IP addressComputer iconInternetworkingAddress spaceComputer fileMultiplication signLine (geometry)Point (geometry)DigitizingProcedural programming2 (number)Order (biology)Image resolutionGame theoryClient (computing)NumberBitThread (computing)Configuration spaceState of matterProjective planeVirtualizationQuery languageProcess (computing)SoftwareStack (abstract data type)FrequencyComputer configurationGraphics tabletTime travelClosed setConfidence intervalReverse engineeringHypermediaCuboidWritingEndliche ModelltheorieMathematical analysisComputer clusterDisk read-and-write headDressing (medical)Metropolitan area networkError messageLibrary (computing)SinePeer-to-peerForm (programming)Computer animation
Address spaceDirect numerical simulationConfiguration spaceServer (computing)Function (mathematics)Hash functionIP addressSoftwareTranslation (relic)Archaeological field surveyComplex (psychology)Saddle pointState of matterHash functionPlanningDirect numerical simulationTable (information)Server (computing)BitAddress spaceComputer animation
Client (computing)Server (computing)Hash functionQuery languageDirect numerical simulationTime domainDynamic Host Configuration ProtocolSystem programmingAddress spaceCollisionComputer networkVertex (graph theory)ParadoxMultiplication signSign (mathematics)Line (geometry)Thomas BayesServer (computing)NumberClient (computing)Configuration spaceMetropolitan area networkGame theoryCASE <Informatik>Computer configurationData storage deviceDirect numerical simulationStatisticsCartesian coordinate systemCollisionProcess (computing)Hash functionCAN busTask (computing)QuicksortMathematicsClosed setDrop (liquid)Error messageInterior (topology)RecursionQuery languageStandard deviationOrder (biology)Keyboard shortcutCubeAddress spaceImage resolutionParadoxCache (computing)SoftwareReverse engineeringComputer animation
Hash functionProcess (computing)Client (computing)Server (computing)Direct numerical simulationDemo (music)Client (computing)SequenceSoftwareLine (geometry)Natural numberHash functionSlide ruleMereologyWeightDemo (music)Direct numerical simulationServer (computing)Function (mathematics)Local ringAreaReal numberExpected valueComputer animation
Hash functionInternetworkingServer (computing)Level (video gaming)Position operatorKeyboard shortcutDirect numerical simulationDifferent (Kate Ryan album)InternetworkingRouter (computing)CodeAddress spaceHash functionParameter (computer programming)Local area networkLocal ringProof theoryLine (geometry)AreaServer (computing)SoftwareMereologyMultiplication signTable (information)Metropolitan area networkSquare numberPlotterECosWebsiteCategory of beingGame theoryMatching (graph theory)FamilyGroup actionService (economics)Execution unitState of matterBit rateThomas Bayes
InternetworkingServer (computing)Hash functionDirect numerical simulationClient (computing)Dynamic Host Configuration ProtocolVirtual machineComputer fontType theoryDot productInterface (computing)VideoconferencingThomas BayesArchaeological field surveyUniverse (mathematics)Hand fanGateway (telecommunications)SpacetimeServer (computing)Default (computer science)Square numberQuery languageSoftwareLevel (video gaming)Address spaceVirtualizationDirect numerical simulationCache (computing)Domain nameSource codeJSON
Client (computing)Hash functionDynamic Host Configuration ProtocolVirtual machineScripting languageMeta elementDot productCache (computing)Configuration spaceSpacetimeService (economics)IP addressVirtual machineMultiplication signComputer configurationOrder (biology)Line (geometry)Slide ruleSingle-precision floating-point formatInterface (computing)Metropolitan area networkReverse engineeringComputer clusterPoint (geometry)Different (Kate Ryan album)Form (programming)Connected spaceAreaScripting languagePhysical systemOperator (mathematics)Domain nameImage resolutionUniform resource locatorDomain nameClient (computing)Computer fileMedical imagingRule of inference
Square numberWikiVirtual realityInformationQuicksortSoftware developerControl flowSign (mathematics)Annihilator (ring theory)WikiDirect numerical simulationSoftware maintenanceAddress spaceElectronic mailing listInformation privacyImplementationIP addressServer (computing)WebsiteEmailComputer animation
Extension (kinesiology)Service (economics)Multiplication signMetropolitan area networkResultantServer (computing)Information privacyFile archiverCASE <Informatik>WebsiteLevel (video gaming)IP addressState of matter1 (number)Computer iconMultiplicationDressing (medical)Arithmetic progressionVirtual machineDomain nameCollisionPlastikkarteSource codeWindowBitAddress spaceProcedural programmingEncryptionDomain nameHash functionSubstitute goodWeb 2.0Query languageGoodness of fitConfiguration spaceSelf-organizationLecture/Conference
Point cloudOpen source
Transcript: English(auto-generated)
That icon over there is VirtuaSquare. It's a team of developers studying the frontiers of virtuality. I lead the group. The group was created in Bologna, I don't know, 16, 17 years ago.
We have done several projects. Our most famous project is VDE, Virtua Distributed Ethernet, which is a virtual Ethernet supported by many virtual machines like KVM, KMO, VirtualBox, or a user-mode Linux.
Today I'm talking about HashDNS and fully qualified domain name, DHCP. We are dealing with Internet of Threads, so our idea is that it's anachronistic to give IP addresses just to interfaces of machine.
Maybe each process in the future can have its own IP address. We need networking stacks as libraries, and we need IPv6, because given that we
want to address each process, we need a great number of IP addresses available. Which is the problem with IPv6?
From one side, you have to write down 128 bits each time you want to write an address. It means, I think, 32 hexadecimal digits. So it's a procedure very prone to error.
The second is that you have to deal with a DNS addressing this kind of nodes. So I think the dream that a maintainer, working with DNS, a dream that this kind of person
has is to be able to add a new node just by writing those two lines over there.
So I created this seminar in a circular way. First of all, I want to show you which is the goal of the topic of this seminar. And then we are going to see how to achieve that goal. So, I want to add to the interface.d or interface file in E2C network just those two lines.
Ephase here, the top zero is just an example. The interface that you want to give an address. And just the name.
And everything must be configured in an auto-magical way. We want this to configure the actual IPv6 address of the machine, the DNS for the direct and the DNS for the reverse resolution.
How can it be done? Why? Because IPv6 adoption is huge. Not only for our internet of threads processes or virtual machines, but even for real machines. In late November, last late November, RIPE in Europe
admitted a warning saying that they ran out of IPv4 nets. The first idea is to use the ACP.
So, in IPv6 terminology, stateful auto configuration. There is an RFSC 4.7.2 that says that the queries can include a fully qualified domain name.
But this fully qualified domain name is usually added in order to update the DNS once the IPv6 has been calculated by the DHCP server. So, the DHCP is responsible for generating the IPv6 address.
And then that fully qualified domain name is used to push the pair name address to the DNS. We have extended the idea of this field, of this option.
When the DHCP server gets a query, including a fully qualified domain name, it asks the DNS which is the IP address for that name.
And the answer from the DNS is used to give the actual IPv6 address to the node. So, you can just give the name and provided the DNS is able to give an address to that name,
the game is completely closed. So, we have achieved this result. But there is another point. There is the standard way. This is how a fully qualified domain name, the ACP, works.
The client makes a query, but instead of the DHCP returning the address, it asks the DNS server for the name resolution.
The second row is the same set of actors, but in order not to put many errors, they are repeated. So, the answer path is from the DNS server, the IP address that is forwarded to the client.
But this is not enough, because in this way you can give the name of the host, you can use the two lines, but you have to configure your DNS server in order to write your address. So, we need a second idea. Ash-based IPv6 addresses.
So, instead of having long and boring tables in the DNS server, we generate the low 64 bits of the IPv6 address as a hash of the name.
So, given the prefix of that network, you can just catenate the prefix and a tail which is computed as a hash out of the name,
and you have an IPv6 address. It means that this kind of DNS server, if it has been created for rome-micorp.org, is able to resolve any name ending in rome-micorp.org.
Maybe the DNS server generates an IP address which belongs to no one.
So, you have the DNS server which is able to translate anything that ends in .rome-micorp.org. So, the idea is that now we have to say to the DNS server the prefix.
We have reduced the complexity of the problem, but still we have to provide the DNS server with the prefix.
Actually, the prefix can be computed by the DNS server itself. So, let us see step-by-step how the process, the resolution process, has been carried out. A client somewhere in the world wants to talk with w cube hash, my name Mark,
and it asks to the closest DNS, the resolution. So, there is the recursion of the name server. At the end, the query reaches the DNS server of mydomain.org.
There is an error. Obviously, it was myname.org, myname.org. The main server, which is a standard bind server, because there is a delegation,
forwards the query to the hash DNS server, who asks to the DNS server, which is the base address, in order to have no configuration at all in the hash DNS server, which can handle many subdomains of myname.org.
Now, the main DNS server replies with the base address. The hash DNS computes the complete address that is returned to the client.
Okay. So, in this way, I have just to put a line saying which is the base address in the standard DNS server, and everything can be done without further configuration,
but baptize your new node. Give it a name. So, now we can use the two technologies together. We can have the node asking the DNS, asking the DHCP server its address.
The DHCP server asks the hash DNS, the address, and in this way, everything converges, and just by the name, giving the name, you can have the three goals.
The IPv6 address, DNS forward resolution. What about DNS reverse resolution? Hash DNS takes a cache of the recently resolved names,
and there is a configuration. You can force this cache to store all the resolution, but in such a case, you can have out-of-memory attacks. Somebody who can resolve many, many names that can fill in your cache,
or you can buy an option, set the DNS server to store just the request coming from the same net, so the local requests. You can say, if you give IPv6 address, 64 of the IPv6 address by hash,
you can have collisions. Yes, that's true in theory, because if you use some statistics, there is an application case of the birthday paradox.
So, computing the number of possible hashes, if you are dealing with a network of 1,000 nodes, the probability of a hash collision is less than 10 to the minus 14th.
So, it's quite low. In case it happens, you can just change the name, instead of W cube, web, or something like that, and the probability drops even more. If you have more collisions,
it means that you have better luck, and so you need to take some countermeasure about luck. Okay, demo scenario. Given that the talk is not so extensive,
I decided to give you a virtual demo. So, there is the scenario, and there are slides in which you can see the sequence of comments, and expected output.
This scenario has been carried out on a VD network, but as the picture may make evident, it should be on a real network too.
So, everything applies to real or virtual networks. In the local area network, we have the hash DNS, we have the fully qualified DHCP server, and I'm a client on the same net.
Okay, and somewhere I have a DNS server primary 4, this is one of our domains, v2.cs.unibo.it. Okay, let us follow the slides.
Can you see the cursor? It's a bit black, but here in this part of the slide, I've copied some lines from the binding line delegation. So, whatever is hash v2.cs.unibo.it,
it is dedicated to that DNS server named hashDNS, which has an IPv4 and IPv6 address. The next line, hash v2.cs.unibo.it.map,
without a final dot, so it means that it resolves hash v2.cs.unibo.it, map v2.cs.unibo.it, is the base address for that subnetwork.
And for example, I use a CNAME to show that you can, one question that may arise is that the names are related to the local area network. So, if you want to give sibling names in different local area network,
you will need to have different base address. But you can use CNAMEs. So, I have the name related to the physical position of the host,
the name related to the physical position of the host, which is the one generated from the hash table. And the name, the short name, as a CNAME to the hash generated name. Okay, that's only the dedication.
Then, I have connected my switch to a switch connected to the internet. In the real world, this means I've connected one plug to the switch and the other plug to the router. I've started on one host here on the virtual network,
but you can do it in a real network. I've started the HashDNS, which are the arguments of HashDNS. Now, this is a proof of concept, working proof of concept. We are in this time rewriting the code base in a more complete and documented way.
But HashDNS is the common connected to the virtual network. This is the name, the suffix to have the base address.
So, this HashDNS is a query for a cache which, blah, blah, blah. It searches in the DNS cache with square CS uni by T, map with square CS uni by T.
So, you have the IPv4 address with the default gateway, IPv6 address with the default gateway. And that's enough for the HashDNS server, no more configuration. Fully qualified domain in TSCP is even simpler,
because you can just start the server saying, which is the interface of the virtual network it has to run in. So, let us try some experiments, virtual experiments.
One experiment is use this infrastructure to give addresses to namespaces, because VDE now has namespaces. If you try, if you just type VDE and S, VDE dot slash slash, VDE dot slash slash is a kind of URL in which you can use different kinds of technologies.
VDE is a legacy technology of VDE, but you can have VXVD or many others there if you want.
Now, unfortunately, the AC client does not have an option in common line to say send a fully qualified domain name. So, the only way is to create a temporary configuration file
to say just that option. So, I created this temporary configuration file with this command, just a single line of configuration. And then I asked by the AC client to give an address.
And just using this, the whole infrastructure gives this namespace, an IPv6 address, and a forward and reverse configuration. If you have a KVM machine, that's the common to start KVM machine connected to VDE,
you can just add in the interface dot T file and the two lines of the first slide.
And now, I'm sorry for these two lines. It is explained in the next slide because I've taken, as you can see, Phoenix saw a city-based well-known image.
So, to show you, there is nothing else in the system but that configuration and the files generated by the script. These two files are the scripts to use a fully qualified domain name, the ACP,
in if-up, if-down, which are general, not related to this specific address, this specific node. So, given you add these two files to give if-up, if-down,
the rules to apply in order to take an interface up and down, and I have fulfilled my promise and the premises, and in this way, I've given the IP address for the reverse resolution in two lines.
One more point, I told you for the reverse resolution that there is a cache of the recently resolved names to have the reverse resolution.
One may say, but after a while, this kind of cache can expire. But given the ACP that from time to time is renewing the address,
the ACP is also renewing the reverse resolution. So, everything seems to be in harmony. So, if you have questions or for further info, you can have a look of our Wiki site where there is the long list of our projects,
or obviously you can contact me by email. Thank you. Thank you, Renzo. Any questions for Renzo? Andrei.
Hi, this is Andrei from ISC. So, my question is, and I might have missed it, who is the target audience for this because it breaks quite a lot of assumptions about IPv6, like privacy or who configures the IP address. So, who is the end user? So, who would use your technology?
So, that's my question. Maintainers of DNS or the sign of DNS that want to add this feature or maintainer of DNS who are too busy to add useless IPv6 addresses.
So, these features could be integrated in future DNS servers. Or, the community of DNS development can help us to provide a final solution, a final implementation of these ideas in the most effective way.
Dimitri, hold on, I'll give you a mic. For many highly available servers, it is common to assign multiple IP addresses to multiple hosts
which serve the same fully qualified domain name, such that by definition you will have the hash collision. How do you resolve that when you want to serve archive.ubuntu.com from many servers which all should have IPv6 addresses?
Good question. Don't you give those machines also IPs per service they run at a given time? Normally you do, but if you want to use this, then all of them will get assigned the same hash and the same IP, right? I think we have two different kinds of users.
If you have a huge web server supplying, managing hundreds, millions of queries per second, you need that kind of solutions and you have not so many of them. So even writing the address is not a problem.
But if you have every switch in your room having an IP address and you want to query that, so you want the address of that, in such a case of writing down 128 bits for each of them is quite daunting procedure.
I think that the first idea said that we want to give the address to processes. So in such a case, one address is enough. One more quick question for Renzo.
Let's start here. Be quick. Is encryption something which is also of interest for DNS? Hashing is one thing, but do people want to encrypt their DNS as well? Once you've hashed it, then I was thinking the next step would be to make it so other people can't snoop.
Is that not how it works or is that not an option? I don't think that's in this scope. But we're having a couple of talks about it later. Stick around. Erwin, last question.
What about IPv6 privacy extensions in this context? Actually this substitutes the privacy extension, because one problem of the IPv6 status configuration is that you give your MAC address. This is just related with the name, so you don't have any problem with your self-generated IPv6 address.
Nobody can see it. OK. Thank you, Renzo. Thanks to you. Thank you.