Re: [Sks-devel] sks-network

[Eygene Ryabinkin]

Sat, May 21, 2011 at 11:15:06PM -0700, Scott Grayban wrote:
> Frankly I don't care if the peering is done via rag-tag rules that
> aren't posted any place, but according to Sebastian others feel the same
> about static IP's and permanent connection and I have the same thoughts
> because peering should be stable and not run with dynamic IP's.... even
> if people here want to call it semi-static it is still dynamic.

Being more-or-less last person who asked for dynamic/static IPs, I can
share my experience 'bout them.  Since SKS deals with DNS names and
catches IP changes by itself, there's no problem in dynamic addresses,
as long as their dynamicity time is large comparing to the typical
update session time between two peers.  So, my definition of
semi-static IP is "the one, whose typical change interval is larger
than the typical SKS session time with the 'larger' being 10x or
higher".

As for firewalls (and I am running default-by-deny rules at my
machines, so I am spending much time tuning them for the smooth
operations): since most firewalls are operating on the IP addresses,
dynamicity poses a slight problem.  But if firewalls have the notion
of lookup tables (containing IP addresses or IP ranges) and these
tables can be updated independently of the rulesets, there's no
problem: just create the script to periodically convert the DNS names
from the SKS peer list to the set of IP addresses and reload the
corresponding table.  I am doing this for some time and found no
problems yet.  Of course, I am putting some trust to the DNS, so
hijacking will affect me.  But I do realize it ;))

Of course, one's mileage may vary in respect with the dynamic IPs.
-- 
rea

pgpkmVw3MMyL3.pgp
Description: PGP signature