My comments continue to be: I think an indication of "this interface is external" (i.e., don't trust me, this is a "public" network) can be valuable in applying "external" classification to an interface. I'm happy not to trust those who claim to be untrustworthy. But that doesn't seem to be the primary focus of this CER ID proposal. I think that trying to use certain CER ID values as an indication of "this interface is internal" (i.e., trust me -- really!) is problematic.
The idea that the CER ID will somehow cause consistent behavior by IRs has no basis, because the expectation for IRs to treat the CER ID as a "trust me -- really!" indication is problematic. I would be opposed to any suggestion that IRs trust a "trust me -- really!" CER ID value and behave in a trusting manner as a result of it. As Markus suggests, other indicators should be used for positive identification of internal interfaces. I consider the formatting of the option as an IP address to be flawed. If it is the case that CableLabs would not accept IETF input to change this option to a format that IETF participants would find useful (because it's already this way in the eRouter specs and eRouter vendors are implementing it), then I think it should not be standardized by IETF and should remain a vendor option specified purely in the eRouters specs. If others think that an indication of "this interface is external" would be useful, then I would be happy to propose such a thing, or work with others to propose such a thing. I would make it a flag. It might be useful to consider including other flags (e.g., multiple IA_PD requests are ok / not ok) in the option as well. It would be an option that comes from ISPs to indicate preferred expected behavior on the external interface. I'm opposed to ISPs trying to control what happens on my home network's internal interfaces through standardized DHCP options. That's one of the reasons I only have non-ISP provided/affiliated routers in my home. In fact, I would want my routers to identify any ISP-provided device as being on an external interface. I'm absolutely unwilling to accept anything that would allow an ISP to disable my internal router's firewall. I would prefer to have the firewall on the ISP router be disabled, if there is a firewall on an internal router. Barbara > Markus, > CER-ID can apply to more than just the cable industry. DSL modems and > satellite services can also take advantage of the benefits if we don’t lock > down the interface. Also, some home owners may not want the natural > boundary being the Cable modem or DSL modem and this provides a way to > make that happen. > > Do you still want to discuss how or why CER-ID is implemented this way? > > Thank you for your comments so far. > > > Michael Kloberdans > Lead Architect / Home Networking CableLabs® > > 858 Coal Creek Circle. Louisville, CO. 80027 > 303-661-3813 (v) > > > > > On 10/27/14, 8:47 AM, "Markus Stenberg" <[email protected]> wrote: > > >On 27.10.2014, at 16.17, Michael Kloberdans > ><[email protected]> > >wrote: > >> All home routers should know their role; CER or IR. The status of > >>CER places the burden of providing the firewall and NAPT as it was > >>determined to be the edge router. The interior routers need to > >>understand their role and disable their firewall and NAPT abilities. > >>This is why the CER-ID is a numeric value (indicating CER status) or > >>a double colon (indicating IR status). > > > >I agree with that. However, I disagree with how you are doing it. > > > >> In the case of the eRouter (combined cable modem and > >>router/switch/wireless), it performs a /48 check between the IA_NA and > >>the IA_PD ranges. If the ISP sends a double colon or null in the > >>CER-ID ORO, AND if the IA_NA is in a different /48 than the given > >>IA_PD, the eRouter becomes the CER. It must now declare to the IRs > >>that it is the CER. A directly connected IR will see the CER value > >>in the ORO and, in the absence of another controlling protocol, > >>disable its firewall and NAPT functions. > > > >Why cannot it determine it is CER by bits coming from particular type > >of plug? Cable modem plug looks different from ethernet/wireless? It > >would be much more secure that way. > > > >> The nice advantage of the double colon is for network literate people > >>like yourself to manually determine where the boundary between public > >>and private network will be. If you didn¹t want the Cable or DSL > >>modem to be the CER, manually give them a Œ::² and assign a CER-ID to > >>a downstream router. Thus, CER-ID allows for automatic detection of > >>the CER and uniform behavior of IRs within the home and also a way to > >>design your network the way you desire. > > > >Again, bits coming from cable port <> not sounds much simpler to me. > >And more secure. > > > >Cheers, > > > >-Markus > > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
