 That icon or that is virtual square is a team of developers studying the frontiers of virtuality. I lead the group. The group was created in Bologna. I don't know 16, 17 years ago and we have done several, several projects. Our most famous process is VDE, virtual distributed Ethernet, which is a virtual Ethernet supported by many virtual machines like KVM, KMO, VirtualBox, or UserMod Linux. Today I'm talking about actually an awesome fully qualified domain name, DACP. We are dealing with Internet of Threads. So our idea is that it's anachronistic to give IP addresses just to interfaces of machine. Maybe each process in the future can have its own IP address. We need stacks, networking stacks as libraries. And we need IPv6 because given that we want to address each process, we need a great number of IP addresses available. Which is the problem with IPv6? From one side is that you have to write down 128 bits each time you want to write an address. It means I think 32 extra decimal digits. So it's a procedure, very prompt to error. Yeah, and the second is that you have to deal with a DNS addressing this kind of nodes. So I think the dream that a maintainer, a sysad working with DNS, the dream that this kind of person has is to be able to add a new node just by writing those two lines over there. So I created this seminar in a circular way. First of all, I want to show you which is the goal of the topic of this seminar. And then we are going to see how to achieve that goal. So I want to add to the interface.d or interface file in the ATC network just those two lines. If it's here, top zero is just an example. The interface is you want to give an address and just the name. And everything must be configured in an auto magical way. We want this to configure the actual IPv6 address of the machine, the DNS for the direct and the DNS for the reverse resolution. How can it be done? Why? Because IPv6 adoption is urgent, not only for our Internet of Triads processes or virtual machines, but even for real machines in late November, last late November, Ripe in Europe emitted a warning saying that they ran out of IPv4 nets. The first idea is to use the ACP so for in IPv6 terminology, stateful auto configuration. There is an NFSC 4702 that says that the queries can include a fully qualified domain name, but this fully qualified domain name is usually added in order to update the DNS once the IPv6 has been calculated by the DCP server. So the DCP is responsible for generating the IPv6 address. And then that fully qualified domain name is used to push the pair name address to the DNS. We have extended the idea of this field, of this option. When the DCP server gets a query, including a fully qualified domain name, it asks the DNS, which is the IP address for that name, and the answer from the DNS is used to give the actual IPv6 address to the node. So you can just give the name and provide that the DNS is able to give an address to that name. The game is completely closed. So we have achieved this result. But there is another point. There is the standard way. This is how a fully qualified domain name, the ACP, works. The client makes a query, but instead of the DCP returning the address, it asks the DNS server for the name resolution. The second row is the same set of actors, but in order not to put too many errors, they are repeated. So the answer path is from the DNS server, the IP address that is forwarded to the client. But this is not enough, because in this way you can give the name of the host, you can use the two lines, but you have to configure your DNS server in order to write your address. So we need a second idea, hash-based IPv6 addresses. So instead of having long and boring tables in the DNS server, we generate the low 64 bits of the IPv6 address as a hash of the name. So given the prefix of that network, you can just catenate the prefix and a tail, which is computed as a hash out of the name, and you have an IPv6 address. It means that this kind of DNS server, if it has been created for a Rome MyCorp org, is able to resolve any name ending in RomeMyCorp.org. Maybe the DNS server generates an IP address which belongs to no one. So you have the DNS server which is able to translate anything that ends in .RomeMyCorp.org. So the idea is that now we have to say to the DNS server the prefix we have reduced the complexity of the problem, but still we have to provide the DNS server with the prefix. Actually, the prefix can be computed by the DNS server itself. So let us see step by step how the resolution process has been carried out. A client somewhere in the world want to talk with WQB hash MyNameOrg, and it asks to the closest DNS the resolution. So there is the recursion of the name server. At the end, the query reaches the DNS server of MyDomain.org. There is an error, obviously it was MyName.org. The main server, which is a standard bind server, because there is a delegation, forwards the query to the htns server, who asks to the DNS server which is the base address in order to have no configuration at all in the htns server, which can handle many sub-domain of MyName.org. Now the main DNS server replies with the base address. Actually, the complete address that is returned to the client. So in this way, I have just to put a line saying which is the base address in the standard DNS server, and everything can be done without further configuration, but baptize your new node, give it a name. So now we can use the two technologies together. We can have the node asking the DNS, asking the DHCP server its address. The DHCP server asks the htns the address, and in this way, everything converges and just by the name, giving the name, you can have the three goals, the IPv6 address, DNS forwarded solution. What about the DNS reversal solution? htns takes a cache of the recently solved names, and there is a configuration. You can force this cache to store all the resolution, but in such a case, you can have out-of-memory attacks. Somebody will want to resolve many, many names that can fill in your cache. Or you can, by an option, set the DNS server to store the request coming from the same net, so the local request. You can say, if you give IPv6 address 64 of the IPv6 address by hash, you can have collisions. Yes, that's true in theory, because if you use some statistics, there's an application case of the birthday paradox. So computing the number of possible hash, if you are dealing with a net of 1,000 nodes, the probability of hash collision is less than 10 to the minus 14th. So it's quite low. In case it happens, you can just change the name instead of W cube web or something like that, and the probability drops even more. If you have more collisions, it means that you have a clock, and so you need to take some countermeasure about luck. OK, demo scenario. Given that the talk is not so extensive, I decided to give you a virtual demo. So there is the scenario, and there are slides in which you can see the sequence of comments and the sequence of comments and expected output. The scenario has been carried out on a VD network, but as the picture may make evident, it should be on a real network, too. So everything applies to real or virtual networks. In the local data network, we have the hash DNS, we have the fully qualified DHCP server, and I have a client on the same net. And somewhere I have the DNS server primary for, this is one of our domains, v2.cs.unibot.it. OK, let us follow the slides. Can you see the cursor? It's a bit black, but here, in this part of the slide, I've copied some lines from the bind 9 delegation. So whatever is hash v2.cs.unibot.it, it is dedicated to that DNS server named hash DNS, which has an IPv4 and IPv6 address. The next line, hash v2.csunibot.it.map, without a final dot, so it means that it resolves hash v2.csunibot.it is the base address for that subnetwork. And for example, I use a C name to show that you can, one question that may arise is that the names are related to the local data network. So if you want to give sibling names in different local data network, you will need to have different base address. But you can use C names. So I have the name related to the physical position of the host. The name is related to the physical position of the host, which is the one generated from the hash table. And the name, the short name has a C name to the hash generated name. OK, that's only the delegation. Then I have connected my switch to a switch connected to the internet. In the real world, this means I've connected one plug to the switch and the other plug to the router. I've started on one host here on the virtual network, but you can do it in a real network. I've started the hash DNS. And which are the arguments of hash DNS? This is, now this is a proof of concept. This is a proof of concept. Working proof of concept, we are in this time rewriting the code base in a more completed or commented way. But the hash DNS is the common connected to the virtual network. This is the name, the suffix to have the base address. So this is a hash DNS. If you square it for cache, v-square, blah, blah, it search in the DNS cache, v-square, c-s, unibrowit, map, v-square, c-s, unibrowit. So you have the IPv4 address with the default gateway. IPv6 address with the default gateway. And that's enough for the hash DNS server. No more configuration. Full qualified domain in the NTSCP is even simpler because you can just start the server saying which is the interface of the virtual network it has to run in. So let us try some experiments, virtual experiments. One experiment is use this infrastructure to give addresses to namespaces because vD now has namespaces. If you just type vDNS, vD.slash, vD.slash is a kind of URL in which you can use different kind of technologies. vD is a legacy technology of vD, but you can have vxvd or many others, zirp if you want. Now, unfortunately, the AC client does not have an option in common line to, say, send a fully qualified domain name. So the only way is to create a temporary configuration file to save just that option. So I created this temporary configuration file with this command, just a single line of configuration. And then I asked by the AC client to give an address. And just using this, the whole infrastructure gives to this namespace an IPv6 address and forward reverse configuration. If you have a KVM machine, that's the common to start with KVM machine connected to vD, you can just add in the interface.t file the two lines of the first slide. And now I'm sorry for these two lines. It is explained in the next slide, because I've taken, as you can see, Phoenix. So a city-based well-known image. So to show you there is nothing else in the system, but that configuration and the files generated by the script, these two files are the scripts to use a fully qualified domain name, the ACP, in if up, if down, which are general, not related to this specific address of this specific node. So given you add these two files to give, if up, if down, the rules to apply in order to take an interface up and down. And I fulfilled my premise and the premises. And in this way, I've given the IP address forward the reversal resolution into lines. One more point. I told you for the reversal resolution that there is a cache of the recently resolved names to have the reversal resolution. One may say, but after a while, this kind of cache can expire. But given the ACP that from time to time is renewing the address, the ACP is also renewing the reversal solution. So everything seems to be in harmony. So if you have a question or for further info, you can have a look of our Wiki site where there is the list, the long list of our projects, or obviously you can contact me by email. Thank you. Thank you, Renzo. Any questions for Renzo? Andre. Hi, this is Andre from ISC. So my question is, and I might have missed it, who is the target audience for this? Because it breaks quite a lot of assumptions about the IPv6, like privacy, or who configures the IP address? So who is the end user? So who would use your technology? So that's my question. Manteniors of DNS or the sign of DNS that want to add this feature, or maintain of DNS who are too busy to add useless IPv6 addresses. So these features could be integrated in future DNS servers. Or the community of DNS development can help us to provide a final solution, a final implementation of these ideas in the most effective way. Dimitri, hold on, give you a mic. For many highly available servers, it is common to assign multiple IP addresses to multiple hosts which serve the same fully qualified domain name. Since, by definition, you will have the hash collision. How do you resolve that when you want to serve archive.abuntu.com from many servers which all should have IPv6 addresses? Good question. Don't you give those machines also IPs per service? They run at a given time? Normally you do, but if you want to use this, then all of them will get assigned the same hash and the same IP, right? I think we have two different kind of users. If you have a huge web server supplying, managing hundreds of millions of queries per second, you need that kind of solutions and you have not so many of them, so even writing the address is not a problem. But if you have every switch in your room having an IP address and you want to query that, so you want the address of that, in such a case, writing down the 128 bits for each of them is quite a daunting procedure. I think that the first thing they have said is that we want to give the address to processes. So in such a case, one address is enough. Okay. One more quick question for Renzo. Let's do. Start here. Be quick. Is encryption something which is also of interest for DNS? Hashing is one thing, but do people want to encrypt their DNS as well? Because once you've hashed it, I was thinking the next step would be to make it so other people can't snoop. Is that not how it works, or is that not an option? I don't think that's in this scope. But we're having a couple of talks about it later. Stick around. So, Erwin, last question. And you can do it to solve that. What about IPv6 privacy extensions in this context? Actually, this substitutes the privacy extension because one problem out there, the status of the configuration is that you give your MAC address. This is just related with the name. So you don't have any problem with your self-generated IPv6 address. Nobody can see it. Okay. Thank you, Renzo. Thanks to you.