Two BIND 9 Security Vulnerabilities Announced Today
ISC is releasing updated versions of BIND 9 to address two newly-discovered security vulnerabilities We have released new versions of BIND: 9.Read post
Dual Stack Lite is an architecture that allows IPv4 services to be provided in an IPv6 network, despite a limited amount of available IPv4 addresses. Work on DS-Lite was conducted within the Softwires working group in the IETF, and began in late 2008. After many revisions it was recently published as RFC6333, with its companion RFC6334 dedicated to automated configuration. Both authors of RFC6334 - David Hankins and Tomasz Mrugalski - worked or are currently working for ISC.
In a typical environment, the Internet Service Provider (ISP) usually deploys Customer Premises Equipment (CPE), a small home gateway that performs Network Address Translation (NAT), so the customer can connect several devices, e.g. a desktop computer, a laptop, and WiFi access point. This approach is very convenient, but has a significant drawback of requiring one IPv4 address for each customer. Due to a shortage of IPv4 addresses that approach is very problematic for many operators, especially the bigger ones.
The DS-Lite architecture however, differs from the classical IPv4 deployment model. Due to exhaustion of IPv4 address space, nowadays it is impossible to obtain new IPv4 addresses. To share one address between several customers, NAT had to be moved to a different location. Instead of translating packets on the ISP network border, NAT was moved deeper into the ISP network. IPv6 is used as a transport layer between the CPE and NAT. In DS-Lite nomenclature, a CPE performing IPv4 to IPv4-over-IPv6 encapsulation is called the Basic Bridging BroadBand (B4) element. The carrier-grade NAT element located deep within the ISP network is called the Address Family Transition Router (AFTR).
To leverage such an architecture, the B4 element has to learn address of an AFTR that will serve as a tunnel termination point. Manual configuration is not feasible in most cases, therefore an automated method was defined. The best way to deliver necessary information to B4 is using DHCPv6. RFC6334 defined a new option called AFTR_NAME that conveys the fully qualified domain name (FQDN) of an AFTR. The ability to convey a name rather than simply an address offers several benefits. The most desirable is to allow network operators to use a name that resolves to a different address for different clients, thus providing load balancing.
ISC is actively supporting deployment of IPv6 in general. In particular, it is involved in many transition technologies; Dual Stack Lite is one such technology. ISC DHCP already allows configuration of this option using a custom option. Dedicated support is planned for ISC DHCP 4.3.
ISC provides an open source, reference implementation of AFTR, as well as instructions for configuring a home gateway as B4. Our engineers are also involved in protocol and implementation development of associated technology called Port Control Protocol (PCP).
What's New from ISC