Re: direction address type

What we are really trying to do is make sure the credentials are being
used form the correct host. The addresses in the tickets was an attempt
at this. 

Well, what could we do if we had DNSSEC? 

What about dynamic DNS? 

The change to add address ranges was meant to facilitate the use of the IP address
in environments where it still made sense. This does not preclude other better methods
to pin down the misuse of a ticket. 

Michael Thomas wrote:
> 
> Nicolas Williams writes:
>  > On Tue, Apr 09, 2002 at 09:41:06AM -0500, Douglas E. Engert wrote:
>  > > For extensions, we should also look at address ranges, or an address mask.
>  > > I see too many situations where one would like to treat a cluster as a
>  > > single machine. The cluster may have 100s of nodes, with multiple interfaces
>  > > per node. But these addresses are always in a sub net, so one or two ranges
>  > > could represent the cluster, rather then hundreds. I understand that
>  > > the current method breaks down with about 50 addresses. So the method
>  > > used today, is to use no addresses.
>  >
>  > I would prefer/like to have a hostname host address type and push the
>  > matter to the name service. Yes, DNS is not secure, no, not many people
>  > use DNSSEC, and so on. But a hostname host address type seems like the
>  > right thing to me and as secure as the name service.
>  >
>  > An address range/mask address type will only be useful in very specific
>  > circumstances.
> 
>    One thing consider here is that mobility makes you
>    want to steer well clear of using IP addresses as
>    any form of identity. Looking at the larger
>    picture here is probably a good idea.
> 
>                 Mike

--

-- 

 Douglas E. Engert  <DEEngert <at> anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444