Silly question: Isn’t the border defined by a link and not a router? What if you have uplinks to two different ISPs on the same router? This seems to assume there’s only one border link on a router, and that router connects to only one external entity.
On Oct 27, 2014, at 8:59 AM, Michael Kloberdans <[email protected]> wrote: > Ola, > I¹d like to better understand your comment about a misconfigured router > being a security issue. > > In the eRouter implementation, the CER is automatically determined. The > only way a router would be misconfigured is if the home owner or someone > else with local access manually changes the CER. Perhaps I¹m missing > something. Please expound - I¹m grateful for all comments. > > Regards, > > > Michael Kloberdans > Lead Architect / Home Networking CableLabs® > > 858 Coal Creek Circle. Louisville, CO. 80027 > 303-661-3813 (v) > > > > > On 10/27/14, 9:00 AM, "Ola Thoresen" <[email protected]> wrote: > >>> On 27.10.2014, at 16.17, Michael Kloberdans <[email protected]> >>> wrote: >>>> All home routers should know their role; CER or IR. The status of CER >>>> places the burden of providing the firewall and NAPT as it was >>> determined >>>> to be the edge router. The interior routers need to understand their >>> role >>>> and disable their firewall and NAPT abilities. This is why the >>> CER-ID is >>>> a numeric value (indicating CER status) or a double colon (indicating >>> IR >>>> status). >>> >>> I agree with that. However, I disagree with how you are doing it. >>> >>>> In the case of the eRouter (combined cable modem and >>>> router/switch/wireless), it performs a /48 check between the IA_NA >>> and the >>>> IA_PD ranges. If the ISP sends a double colon or null in the CER-ID >>> ORO, >>>> AND if the IA_NA is in a different /48 than the given IA_PD, the >>> eRouter >>>> becomes the CER. It must now declare to the IRs that it is the CER. >>> A >>>> directly connected IR will see the CER value in the ORO and, in the >>>> absence of another controlling protocol, disable its firewall and NAPT >>>> functions. >>> >>> Why cannot it determine it is CER by bits coming from particular type of >>> plug? Cable modem plug looks different from ethernet/wireless? It would >>> be >>> much more secure that way. >>> >> >> >> But that would not work if the router only has ethernet-ports - which is >> probably the case if the customer has various kinds of FTTH (many of >> these will use Fast/Gig-ethernet over copper for the last meters in to >> the CPE). >> >> However I do agree that the suggested solution seems sub optimal. It is >> way to easy for a misconfigured router to disable all local security (IE. >> turning off firewalling) without the network owners knowledge. >> >> /Ola (T) >> >> _______________________________________________ >> homenet mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/homenet > > _______________________________________________ > homenet mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/homenet _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
