Please see below. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Shane Amante > do is a tall order. I also think the is more than a desire to ease > configuration burden, this is a must since most users on the Internet > have very basic technical skills.
So, I agree with this point, but are we constraining our thinking too early? For example, if the assumption is there is a singular CPE-router/FW that has been allocated a /56 from a provider, then: - why couldn't the FW provide 'stateful firewall' service for the first 'covering' /60 of IPv6 prefixes (/64's) allocated within the house; - but, the CPE-router/FW would /NOT/ provide stateful or stateless firewall for the remaining 7/8's of address space allocated within the house. Of course, just change the 'mask' lengths to represent whatever the WG thinks are 'sensible' defaults. And, we'd need to decide if this is something a device in the home can 'dynamically' request from the CPE-router/FW via, say, DHCPv6 or if there are better options ... -shane SC> Agree. I would like to see more openness in the design of 'future home network' where in the future we might need to do more auto-configuration; the networks and devices might be such that they would be more lightweight and suitable for address auto-configuration than today's DCHP only home-network - though DHCP(v6) support would be absolutely needed for backward compatibility. But constraining homenet into DHCP-only network will limit the applicability of new type of networks, topologies, devices and services etc. -Samita >> >> A different idea is that the firewall always work in a very minimal >> mode by default (e.g. it passes no traffic, or maybe only outgoing >> port 80 traffic, but its configuration interface is enabled for the >> internal >> ports) so that the user must configure it in order to get it to do >> anything useful. That way, the first thing a user learns about his >> router/firewall is how to configure it. Then you want to focus on >> making the configuration interface easy to understand. (You also >> have to figure out how to keep the user from hooking up the internal >> port to the external connection.) > [jjmb] I said something similar to this is in an earlier email. To > the start there should perhaps be a basic configuration that protects > the user and allows the service to be usable. >> >> But these are user interface issues, not protocol issues. Perhaps >> they're better addressed in homenet than here. > [jjmb] I could image some protocol work that could ease the pain here, > UI for sure could facilitate ease of use. >> >> Keith >> >> _______________________________________________ >> v6ops mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/v6ops > > _______________________________________________ > v6ops mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/v6ops _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
