The increased cost of DNS-less security with IPv6 – a Telco analogy

The DomainNameService (DNS) is arguably the most important internet service in existence today. Without it, the internet would not work as it does today, not email, not web browsing, nada. DNS is what gives a logical “name” to the “internet address” which every device attached to the internet has. Only in the most security conscious environments, where all forms of DNS attacks need to be avoided, do administrators setup collaboration between internet attached devices using IP addresses alone – forgoing DNS. For example enterprise VPNs and Telco equipment. This practice boils down to hardwiring devices or applications to each others’ physical internet location. This brings security at the high cost of maintenance and possibly reduced redundancy ( through lack of DNS load balancing ).

The predominant internet address “type” today is IPv4 addressing, the usual 4 byte address – like 10.243.14.2. The transition to a newer IPv6 address format is currently underway – or more accurately, the build up of a parallel internet which uses IPv6 addressing is underway. The IPv6 address is a 16byte construct – 4 times longer than the IPv4 address.

An IP address is effectively a topological address, or a geographic address in the internet v4 or v6 space. Like a postal address it is an indicator of location. Making an analogy to fixnet telecommunications, the IP address is the equivalent to a “geographic” phone number – the old PCM analog type – where each digit or set of digits brings the addressed payloads a bit closer to their final destination. In a mobile telecommunications context, the IP address has similarities to a Mobile phone’s IMSI, where the telephone number is actually a logical “name” ( albeit in the “phone” numbering scheme ) which the telco network looks up in a HLR ( analogy to DNS ) to find the IMSI and ultimately the mobile device’s position in the mobile network. With digital (including mobile) telephony, phone numbers have become names which some invisible telco internal DNS maps to some invisible address which routes calls to the physical phone equipment. Before smartphones came along, people had to remember phone numbers. At the best of times, 10 digit phone numbers were at the limit of what people could remember – maybe for one or two special numbers – parents, children etc. Also due to the continued use of “geographical” phone numbers even when digital switching was introduced – the “local area code” could be ignored – making most phone numbers to remember only 7 digits long. Todays smartphones and their contact applications like Whatsapp provide directory services ( aka DNS) from people’s names to phone numbers. People don’t have to remember any phonenumbers anymore.

My point is that the cost of not using DNS for security sensitive installations will increase with IPv6 due to the IP address length increase – because of the human factors which this brings with it. Nobody would ever be able to remember let alone type correctly a phonenumber of double length ( let alone 4x). An IPv6 address entered incorrectly into some configuration will need disproportionately more effort to recognize as incorrect because the address has less inherent meaning to the administrator. DNS itself is just as important as before in any case. Maybe DNSSEC will provide the solution.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: