> On 27.10.2014, at 16.17, Michael Kloberdans <[email protected]> > wrote: > > All home routers should know their role; CER or IR. The status of CER > > places the burden of providing the firewall and NAPT as it was determined > > to be the edge router. The interior routers need to understand their role > > and disable their firewall and NAPT abilities. This is why the CER-ID is > > a numeric value (indicating CER status) or a double colon (indicating IR > > status). > > I agree with that. However, I disagree with how you are doing it. > > > In the case of the eRouter (combined cable modem and > > router/switch/wireless), it performs a /48 check between the IA_NA and the > > IA_PD ranges. If the ISP sends a double colon or null in the CER-ID ORO, > > AND if the IA_NA is in a different /48 than the given IA_PD, the eRouter > > becomes the CER. It must now declare to the IRs that it is the CER. A > > directly connected IR will see the CER value in the ORO and, in the > > absence of another controlling protocol, disable its firewall and NAPT > > functions. > > Why cannot it determine it is CER by bits coming from particular type of > plug? Cable modem plug looks different from ethernet/wireless? It would be > much more secure that way. >
But that would not work if the router only has ethernet-ports - which is probably the case if the customer has various kinds of FTTH (many of these will use Fast/Gig-ethernet over copper for the last meters in to the CPE). However I do agree that the suggested solution seems sub optimal. It is way to easy for a misconfigured router to disable all local security (IE. turning off firewalling) without the network owners knowledge. /Ola (T) _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
