Whilst I don't disagree significantly with Fred's list (which seems to match the functionality of the installed IPv4 base), I think the challenge for Homenet is going to be to make this requirements list work in a multi-vendor environment out of the shrink wrap (Homenet architecture by definition assumes more than one CPE device). To me, ensuring interoperability is the main added value of the Homenet WG.

I therefore humbly submit that language based on "MAY" is generally not going to cut it for Homenet.

Here are my suggested modifications of Fred's list, for further improvement.

1) s/a CPE Router MAY include a firewall function/a Customer Edge Router (CER) SHOULD implement a mechanism to facilitate egress and ingress access control of traffic crossing the external border of the Homenet. This MAY be implemented either as a firewall or as simple IPv6 Access Control List (ACL)./

ACL being debatable, but it's functionality that exists today in IPv4 and which works. Who am I to say that isn't "good enough" for some folks' security needs? As an end-user, I'm all for functional equivalence with IPv4.

2) For me it's debatable whether the Homenet WG needs to further define how this egress or ingress control functionality actually processes traffic. That's something IMHO where vendors can differentiate their products, and which can evolve over time.

Perhaps:
/The firewall MAY be functionally defined by draft-ietf-v6ops-cpe-simple-security or draft-vyncke-advanced-ipv6-security-03. Other functional definitions of the ingress and egress access control mechanism may be introduced to Homenet later. As a general principle, equivalent security controls SHOULD be applied to both IPv4 and IPv6 traffic when running in dual stack mode at the external boundary./

3) s/IF such a function is implemented, it MUST be possible to disable it, reducing the CPE to a simple router./ It MUST be possible to disable the ingress and egress access control function to reduce the CER to a simple router, and the mechanism to achieve this SHOULD ...../

In this case, "be manual" or do you want the device to "auto-detect that the device is acting as a CER"? I think this is pretty essential for ensuring that Homenet works as a system when users plug and play kit from various vendors.
Perhaps the detail is best left for another day.

4) s/IF it is a "deny all" firewall, it SHOULD have a means of providing access rules for services inside the home/ IF it is a "deny all" ingress mechanism, it SHOULD have a means of providing access rules for services located inside the home, and the mechanism to achieve this SHOULD be ...../

"PCP"?

If PCP isn't considered by the WG to be "good enough" for the task of acting as the Homenet control protocol for the ingress and egress security function, then I submit that the challenge is either going to be to make PCP "good enough", or come up with an alternative. I am neutral on what the control protocol should be. But there's no doubt in my mind that we really should define an open and standard control protocol to configure the ingress and egress access control mechanism (to ensure interoperability, to preserve e2e, and to ensure the sanity of developers and end users).

regards,
RayH

Fred Baker wrote:
On Mar 13, 2012, at 10:11 PM, Cameron Byrne wrote:
My cursory research says you are not going to be able to present a convincing 
amount of data to support the fact that a stateful
inspection firewall should be applied in a contemporary home environment.

I don't recall anyone saying that a "stateful inspection" firewall was specifically called for. I 
think we argued that there is a market expectation that a firewall is at least available, and that however 
the firewall is implemented, it should prevent simple attacks from "outside" the network (I will 
argue "network layer attacks" as opposed to combing through bits in layers above). As we get into 
the specifics of kinds of firewalls, I think we're treading even more heavily on people's religion.

As to "kinds of firewalls", I have a posted draft (which I think I mentioned), 
which might be discussed in opsawg and might be discussed in the Security Area meeting. I 
haven't heard a decision on that. I would suggest we defer to that discussion. However, 
as far as *this* draft goes, I think that it is fair to say that

  - a CPE Router MAY include a firewall function.

  - IF such a function is implemented, it MUST be possible to disable
    it, reducing the CPE to a simple router.

    (my rule on the use of "MUST": I use the term when failing to
    do so breaks something, and I try to say what breaks. In this
    case, a CPE Router that has a firewall that can't be turned off
    cannot be used as an interior router in the home network)

  - IF it is a "deny all" firewall, it SHOULD have a means of providing
    access rules for services inside the home, such as allowing SMTP
    to an SMTP server or ISP access to a set-top box. PCP or other
    protocols like it MAY be used to achieve that.

  - IF it is a role-based firewall, it SHOULD have a means of
    configuring and using roles.

  - IF it is a stateful inspection, reputation-based, or anomaly
    detection firewall, it SHOULD have a way to maintain the indicated
    tables such as periodic download of signed files from a trusted
    site.



_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet

Reply via email to