
Giving every IPv6 address a name - Sami_Lehtinen
https://has-a.name
======
robbya
This is cool, but keep in mind that the operator can also get SSL certs for
your site (they just point the domain somewhere else and use Lets Encrypt or
similar to get a certificate). So from a security perspective, you are putting
a ton of trust if you use this for anything real.

~~~
gregmac
Also don't use for anything real, because you should not be teaching users
that [https://1234-5678-9adc-def0-1234-5678-9abc-
def0.has-a.name](https://1234-5678-9adc-def0-1234-5678-9abc-def0.has-a.name)
is the proper, trusted domain for your service. Because it was supposed to be
[https://1234-5678-9abc-def0-1234-5678-9abc-
def0.has-a.name](https://1234-5678-9abc-def0-1234-5678-9abc-def0.has-a.name)
and I just tricked _you_.

~~~
jandrese
The fundamental problem with this whole scheme is that it is still just trying
to memorize the entire IP address. The point of a name is to make it something
that feels natural for actual people.

Maybe it would make more sense to choose the 65,536 most common English words
(or whatever language you want) and break the address up into 8 words to form
a crazy looking phrase. This is still difficult to memorize but not as bad as
just stuffing 128 bits of hex down your throat. You could even allow for the
collapsing 0s by making entry 0 be "and" and adding a bit of logic that does
the collapse.

For fun I wrote a tiny script that does this and tried it with their example
domain:

1234:5678:9abc:def0:1234:5678:9abc:def0 -> balcony gaining pawn toothill
balcony gaining pawn toothill

Or Google's address from that page:

2a00:1450:4009:811::200e -> chinker bauchle dorter amor and bromidic

So maybe this wasn't the best idea, but at least they're a bit more amusing
than the hex noise in the article.

Anyway, if anybody else wants to play around with it I have a tiny demo:
[http://jubei.ceyah.org/cgi-bin/ipv6toenglish](http://jubei.ceyah.org/cgi-
bin/ipv6toenglish)

~~~
dheera
One of the biggest things that keeps me using IPv4 is that I can memorize all
the IPv4 addresses for most of my servers. That alone is a huge mental hurdle.

~~~
treysis
That just proves you haven't understood IPv6 yet. ULA addresses make it much
easier, e.g. fd00::1 or fd00:2 (though this is bad practice, should be
fdxy:zvwx:xyzw, xyvwz being random).

------
Tho85
Nice! I run a similar service at [https://ip6.name/](https://ip6.name/). The
service also supports empty groups, e.g. 2001.db8.8000.x.1.ip6.name resolves
to 2001:db8:8000::1, as well as 2001.db8.8000.0.0.0.0.1.ip6.name.

A neat one is x.ip6.name, which resolves to ::, e.g. localhost...

------
nabla9
Why you need this? You can get SSL certificates IP addresses Anything that is
'common name'.

[https://1234:5678:9abc:def0:1234:5678:9abc:def0](https://1234:5678:9abc:def0:1234:5678:9abc:def0).
should work just as well as [https://1234-5678-9abc-def0-1234-5678-9abc-
def0.has-a.name](https://1234-5678-9abc-def0-1234-5678-9abc-def0.has-a.name).

Right?

~~~
michaelt
Letsencrypt won't issue certificates to IP addresses - but will to domain
names (including those assigned by dynamic DNS providers, but most dynamic DNS
providers need manual sign-up with username and password)

Of course, has-a.name will be rate-limited to 50 certificate a week by
Letsencrypt until they get themselves onto the public suffix list. And whether
it's a good idea to bypass LE's no-certs-for-ip-addresses policy is another
matter...

~~~
victorheld
Couldn't they just get a wildcard cert for "*.has-a.name"?

~~~
cortesoft
And give it to everyone?

~~~
VWWHFSfQ
not sure what you mean by give it to everyone. who are they giving it to?

~~~
RKearney
Anyone who then wants their site accessible through this. It’s not a proxy,
they’re just returning your IPv6 address based on what subdomain you type.

In order for a wildcard to work, every single user of the service needs the
private key for that wildcard certificate.

~~~
VWWHFSfQ
I feel like I'm missing something. How is this different than AWS providing a
wildcard certificate for every S3 bucket via
[https://<bucket>.s3.amazonaws.com](https://<bucket>.s3.amazonaws.com). Is it
the same thing?

~~~
treysis
Yes, you are missing something: S3 bucket resolves to Amazon's servers.
<ipv6>.has-a.name resolves to the ip address specified in <ipv6>. You will
have to install the certificate on the actual server that serves the webpage.
For S3 bucket this is Amazon, so they can put their certificate. For your own
IP, you need to install the certificate yourself, so they would have to hand
you their private key as well, which is not allowed.

~~~
hitpointdrew
Yup. This is one thing I hate about AWS. Oh sure make it nice and easy to use
the wildcard cert on any AWS infrastructure. But what if you want to use that
wild card cert somewhere else? Too bad. AWS holds the private key for your
wildcard cert, and they don't give it to you. They hold it hostage on their
server.

~~~
harikb
Considering the domain is amazonaws.com, it is only fair they keep it with
themselves. They can't be in the business of providing arbitrary subdomains
under their parent domain just to have it point to some other external IP.

~~~
hitpointdrew
I'm talking about custom domains. You can setup AWS to manage certs for
mycompany.com (for example). When you do that they ought to give you a copy of
the private key to *.mycompany.com. I am not talking about the amazonaws.com
certs.

------
markushx
Shouldn't this been appropriately named has-aaaa.name?

------
stevage
Oh, I was hoping this was going to be like the What 3 Words of IP addresses.
Like "fourteen-mangled-yellow-squirrels.has-a.name".

------
takeda
Oh boy, this is dangerous. A lot of things are tied to DNS name, so you're
giving a lot of power if you point a routable address to it.

~~~
cortesoft
Not sure what you mean by "point a routable address to it"... you don't point
an address at a domain, you point a domain at an address. And you can point
your domain at any address, whether you own it or not.

~~~
takeda
It was brain shortcut, I meant point your reverse DNS of a routable IP to that
name.

~~~
treysis
How is that dangerous? If you don't "own" the IP, you can't add PTR for it.

~~~
takeda
Exactly, but if you own it and add `PTR` to `has-a.name` then in turn you give
them power. They can request a new certificate under that name and point that
host to another IP. I'm sure there are other ways to abuse it as well.

~~~
treysis
But if they point to a new IP, the other IP's PTR is useless.

~~~
takeda
Yes, but what's your point? You seem to understand DNS enough and at the same
time you don't seem to see the obvious security implication, are you
affiliated with that domain?

~~~
treysis
No, I am not affiliated with them (though we follow each other on Twitter). My
point is, I don't see any security implication involved with a wrong PTR
record in relation to this service. If I set the PTR of my IP to this domain,
but the domain itself resolves to some other IP. Or are you implying they can
only request a cert if the PTR matches the domain? At least for LetsEncrypt
this is not true, otherwise home owners with dynamic IPs wouldn't be able to
request certificates.

~~~
takeda
If you provide PTR that points back to that name, configure web server to
handle requests to that name, you basically makes the domain an official one.

As your users start using it, the owner of the name can now point the AAAA
record to another server that will act as a proxy, request a new certificate
(he owns the domain) and see all the encrypted communication.

~~~
treysis
But you don't need PTR in any of these steps.

------
kej
It would be interesting to combine this with something like the PGP word list
[0] to get human readable names for an IP address.

[0]
[https://en.wikipedia.org/wiki/PGP_word_list](https://en.wikipedia.org/wiki/PGP_word_list)

~~~
nojvek
Omg. That is super cool. I want to turn this as a phone interview question.
Sounds like fun.

------
iamzenitraM
Nice! I had been thinking for a while on building something like this but that
provided reverse PTR records, too.

Some providers like Tunnelbroker easily allow you to change the delegation for
the reverse records for your delegated range: if you have the
1234:5678:9abc:def0::/64 subnet, they let you change the delegation of the
*.0.f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.ip6.arpa DNS zone or add records to it as
you please.

So having a public service that responded to those (following the example, all
you would need is the server to respond to
0.f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.0.f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.ip6.arpa with
a PTR record to 1234-5678-9abc-def0-1234-5678-9abc-def0.has-a.name) would
enable you to also make reverse DNS work for all your network easily, as long
as you delegate your reverse zone to that server.

Unfortunately probably only Tunnelbroker and hosting providers allow you to do
this - I don't expect any residential ISP would (they would also probably
provide their own reverse DNS, though).

------
kardos
TLS concerns aside, there appears to be no business model here, so it's not
clear how this would become reliable

~~~
telmich
There is no business model behind has-a.name. It's main motivation came from
our customers, who are using the IPv6VPN quite intensive.

Many of our customers are app developers (ruby, python, clojure, you name it)
and they develop on their notebooks that are IPv6 enabled (usually a /64 or
/48 per device).

To be able to share in-development state with other remote developers, the
common thing to do would be to pass around a
[http://[2a0a:e5c0:...]](http://\[2a0a:e5c0:...\]) url that was http only.

This is not only cumbersome (no one likes to type square brackets), but also
potentially risky, as there is no MITM protection whatsoever.

To fix this problem we created has-a.name, because customers/developers now go
ahead and just create a docker container and share it as
[https://2a0a-e5c0-...has-a.name](https://2a0a-e5c0-...has-a.name) with their
co-developers.

Because our whole company consists of a bunch of Open Source Hackers we
decided to make it public to allow others work around the same problem.

Even though we promise to never change the automatic resolution (that's work,
doesn't make sense to do that for us), you don't have to trust has-a.name. You
can register your own domain and replicate our setup and use your domain
instead.

I hope that clarifies a bit the business model question.

------
rexarex
Is this accomplished by ip6.arpa?

[https://www.ripe.net/manage-ips-and-
asns/db/support/document...](https://www.ripe.net/manage-ips-and-
asns/db/support/documentation/glossary/ip6.arpa)

~~~
anderskaseorg
No, ip6.arpa is for reverse DNS; this is forward DNS.

~~~
Olipro
If you are able to have the reverse zone for your subnet delegated to
nameservers under your control, you can use it as a "forward" zone too.

DNS doesn't technically have the concept of forward and reverse - it's just
record types and an agreed format that the PTR records should be.

------
peter_retief
My ISP doesn't seem to support ipv6 If I check on [https://test-
ipv6.com/](https://test-ipv6.com/) I geta bunch of blue dot warnings. Like:
"You appear to be able to browse the IPv4 Internet only. You will not be able
to reach IPv6-only sites." Is this common or is my ISP behind the times and
could this become a problem? I have done some development with CoAP and ipv6
so it has been an issue for me. On the name issue I think its a great idea,
even if its a name that resolves to native ipv6 addresses it would be very
useful to me

~~~
treysis
Yes, it seems like it is behind the times. It doesn't matter much at the
moment, as there are no real IPv6-only services of relevance (unless you need
to connect to the private IPv6-only NAS of a friend or sth like that).

------
badrabbit
Curious why the rfc didn't choose base64 as the representation format. It
won't change what it looks like on the wire but will result in shorter
addresses that can in part have some meaning. Matter of fact has there even
been such a proposal.

I naively think '2001:ALN:LabNet01::' or somethig of the like is not only
better but displaces some of the need to use dns (at least in a lan). I am so
curious about this, I hope someone more knowledgeable can explain.

~~~
netsec_burn
Or base58

------
mikeoxbig66
What would the value of this be? Why does it even matter? I am struggling to
decide if this is even valuable.

~~~
lolc
With this you can refer to a machine in the IP6 space without setting up any
DNS yourself. In some situations a hostname works where an IP-Address doesn't.
They gave one such example: Getting SSL certs.

Clearly it's not a good idea to rely on this for anything serious so the value
is mainly convenience during prototyping.

------
fulafel
This is nice:

> With has-a.name you can now also use SSL certificates on any IPv6 address.
> Even better: any docker container can now have an official, valid
> certificate!

------
jachee
Meanwhile, we're still waiting for VZ to put Fios on IPv6...

------
lucb1e
Note that xip.io does this for IPv4

~~~
takeda
the xip.io is primarily used by private addresses (I hope no one uses it for
public ones) there are no real private ipv6 addresses so by using the original
service it's risky.

~~~
lolc
I was sure there is a similar concept in IP6 to the IP4 private ranges. And
indeed: Unique local address[0] serves the same purpose.

And you can use them with has-a.name: The domain
fde4-8dba-82e1-0000-0000-0000-0000-0000.has-a.name is translated to address
fde4:8dba:82e1:: just as expected.

[0]
[https://en.wikipedia.org/wiki/Unique_local_address](https://en.wikipedia.org/wiki/Unique_local_address)

------
Spacemolte
What is a IPv6 application?

------
outworlder
This sounds like a solution looking for a problem.

Also, it's dangerous.

~~~
ryeights
Can you elaborate on #2?

~~~
gruez
you're trusting the operator to return the right ip address, and not returning
something nefarious. it's definitely not as secure as using the raw address,
for example.

------
commandersaki
This is all well and good and all.

I always see these ingenious developments with IPv6. But we kind of forget
that deployment is a nightmare.

I think we need forget that we're putting the cart before the horse.

I don't see a future for IPv6 while there's no officially endorsed transition
plan that has an actual incentive.

IPv6 only makes sense for mobile since carriers use it to shed load off CGNAT.
In turn this incentivises large traffic sites that cater to mobile (e.g.
Youtube, Google, etc.) to also help out by operating over IPv6. The only
reason carriers can do this is because they usually have full control to
configure the IP stack connecting to the network.

Penetrating the residential is a pipe dream.

Let's not forget in the early to mid 90s IPv6 was decided on to mitigate the
address exhaustion issue. Its use has basically made a scratch.

So many other technologies have come and gone and a few paradigm shifts (e.g.
cloud everything).

And IPv6 continue to sits idle.

~~~
elktea
Mobile networks typically use 464XLAT. Deployment is not hard. The main hold
up for resi networks is CPE vendors don't typically support CLAT, but most
established players can do dual stack for now.

IPv6 is at about 30% of traffic now.

~~~
commandersaki
Yep, any day now.

