If all other local routers will disable their firewalls just because they receive a single packet with a flag set (and we're not only talking UPnP which should only open a subset of ports to a subset of addresses), I would be concerned. If re-used router that had been previously set up as a CER, and plugged it in - maybe as a kind of WIFI-extender or whatever - and it started to disable the firewalls on pother routers in my network (IE. between my Guest WIFI and my Home Automation network) it would obviously be a security issue.
Also, it would be a trivial task to create a virus/trojan that could spoof these packets, and start exploring internal networks that the box at hand should not have access to. With more and more embedded devices showing up - with a questionable track record for firmware/software updates - I think we should be really careful with this kind of automatic downgrade of local security. There are plenty of reasons to run firewalls and filters on other routers than the edge-router(s). /Ola Thoresen ----- Opprinnelig melding ----- > Fra: "Michael Kloberdans" <[email protected]> > Til: "Ola Thoresen" <[email protected]>, [email protected] > Sendt: 27. oktober 2014 16:59:34 > Emne: Re: [homenet] Comments requested for draft CER-ID > > Ola, > I¹d like to better understand your comment about a misconfigured router > being a security issue. > > In the eRouter implementation, the CER is automatically determined. The > only way a router would be misconfigured is if the home owner or someone > else with local access manually changes the CER. Perhaps I¹m missing > something. Please expound - I¹m grateful for all comments. > > Regards, > > > Michael Kloberdans > Lead Architect / Home Networking CableLabs® > > 858 Coal Creek Circle. Louisville, CO. 80027 > 303-661-3813 (v) > > > > > On 10/27/14, 9:00 AM, "Ola Thoresen" <[email protected]> wrote: > > >> On 27.10.2014, at 16.17, Michael Kloberdans <[email protected]> > >> wrote: > >> > All home routers should know their role; CER or IR. The status of CER > >> > places the burden of providing the firewall and NAPT as it was > >>determined > >> > to be the edge router. The interior routers need to understand their > >>role > >> > and disable their firewall and NAPT abilities. This is why the > >>CER-ID is > >> > a numeric value (indicating CER status) or a double colon (indicating > >>IR > >> > status). > >> > >> I agree with that. However, I disagree with how you are doing it. > >> > >> > In the case of the eRouter (combined cable modem and > >> > router/switch/wireless), it performs a /48 check between the IA_NA > >>and the > >> > IA_PD ranges. If the ISP sends a double colon or null in the CER-ID > >>ORO, > >> > AND if the IA_NA is in a different /48 than the given IA_PD, the > >>eRouter > >> > becomes the CER. It must now declare to the IRs that it is the CER. > >>A > >> > directly connected IR will see the CER value in the ORO and, in the > >> > absence of another controlling protocol, disable its firewall and NAPT > >> > functions. > >> > >> Why cannot it determine it is CER by bits coming from particular type of > >> plug? Cable modem plug looks different from ethernet/wireless? It would > >>be > >> much more secure that way. > >> > > > > > >But that would not work if the router only has ethernet-ports - which is > >probably the case if the customer has various kinds of FTTH (many of > >these will use Fast/Gig-ethernet over copper for the last meters in to > >the CPE). > > > >However I do agree that the suggested solution seems sub optimal. It is > >way to easy for a misconfigured router to disable all local security (IE. > >turning off firewalling) without the network owners knowledge. > > > >/Ola (T) > > > >_______________________________________________ > >homenet mailing list > >[email protected] > >https://www.ietf.org/mailman/listinfo/homenet > > -- Ola Thoresen Tlf.: 23 01 00 00 PowerTech Drift Dir.: 23 01 00 47 Mob.: 92 09 04 30 _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
