Ola, I¹d like to better understand your comment about a misconfigured router being a security issue.
In the eRouter implementation, the CER is automatically determined. The only way a router would be misconfigured is if the home owner or someone else with local access manually changes the CER. Perhaps I¹m missing something. Please expound - I¹m grateful for all comments. Regards, Michael Kloberdans Lead Architect / Home Networking CableLabs® 858 Coal Creek Circle. Louisville, CO. 80027 303-661-3813 (v) On 10/27/14, 9:00 AM, "Ola Thoresen" <[email protected]> wrote: >> On 27.10.2014, at 16.17, Michael Kloberdans <[email protected]> >> wrote: >> > All home routers should know their role; CER or IR. The status of CER >> > places the burden of providing the firewall and NAPT as it was >>determined >> > to be the edge router. The interior routers need to understand their >>role >> > and disable their firewall and NAPT abilities. This is why the >>CER-ID is >> > a numeric value (indicating CER status) or a double colon (indicating >>IR >> > status). >> >> I agree with that. However, I disagree with how you are doing it. >> >> > In the case of the eRouter (combined cable modem and >> > router/switch/wireless), it performs a /48 check between the IA_NA >>and the >> > IA_PD ranges. If the ISP sends a double colon or null in the CER-ID >>ORO, >> > AND if the IA_NA is in a different /48 than the given IA_PD, the >>eRouter >> > becomes the CER. It must now declare to the IRs that it is the CER. >>A >> > directly connected IR will see the CER value in the ORO and, in the >> > absence of another controlling protocol, disable its firewall and NAPT >> > functions. >> >> Why cannot it determine it is CER by bits coming from particular type of >> plug? Cable modem plug looks different from ethernet/wireless? It would >>be >> much more secure that way. >> > > >But that would not work if the router only has ethernet-ports - which is >probably the case if the customer has various kinds of FTTH (many of >these will use Fast/Gig-ethernet over copper for the last meters in to >the CPE). > >However I do agree that the suggested solution seems sub optimal. It is >way to easy for a misconfigured router to disable all local security (IE. >turning off firewalling) without the network owners knowledge. > >/Ola (T) > >_______________________________________________ >homenet mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/homenet _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
