reverse map usage

Discussion:

reverse map usage

Michael Richardson

21 years ago

-----BEGIN PGP SIGNED MESSAGE-----

Does this text make sense?

===

<section title="Use of reverse (in-addr.arpa) map">
<t>
Often a security gateway will only have access to the IP address to which
communication is desired. It will not know the forward name. As such, it
will frequently be the case that the IP address will be used an index into
the reverse map.
</t>

<t>
The lookup is done in the usual fashion as for PTR records. The IP address'
octets (IPv4) or nibbles (IPv6) are reversed and looked up under the .arpa.
zone. Any CNAMEs or DNAMEs found SHOULD be followed.
</t>

<t>
Note: even when the IPsec function is the end-host, often only the application
will know the forward name used. While the case where the application knows
the forward name is common, the user could easily have typed in a literal IP
address. This storage mechanism does not preclude using the forward name
when it is available, but does not require it.
</t>
</section>

] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] ***@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Jakob Schlyter

21 years ago

Permalink

Post by Michael Richardson
<section title="Use of reverse (in-addr.arpa) map">
<t>
Often a security gateway will only have access to the IP address to which
communication is desired. It will not know the forward name. As such, it
will frequently be the case that the IP address will be used an index into
the reverse map.
</t>

what else could be used as an index into the reverse map? if nothing, that
needs rewording I think.

jakob

Michael Richardson

21 years ago

Permalink

-----BEGIN PGP SIGNED MESSAGE-----

Post by Michael Richardson
Often a security gateway will only have access to the IP address to
which communication is desired. It will not know the forward name. As
such, it will frequently be the case that the IP address will be used
an index into the reverse map.

Jakob> what else could be used as an index into the reverse map?

1) one could use the IP address to find a PTR and the look for the key
in the forward map. This fails for a number of reasons, but it has been
suggested.

2) one could change the BSD sockets API to take forward names instead of
struct sockaddr_in, and therefore keep the forward name all the way.

3) HIP does something else, which I won't describe here.

Jakob> if nothing, that needs rewording I think.

As for rewording - I'm not sure how else to say it. Can you perhaps
help here?

] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] ***@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [