David R Oran wrote:
Silly question:
Isn’t the border defined by a link and not a router? What if you have uplinks
to two different ISPs on the same router?
This seems to assume there’s only one border link on a router, and that router
connects to only one external entity.
Indeed.
The draft states
>If the device has more than one LAN interface,
>it SHOULD use the lowest Globally Unique address not assigned to
itsWAN interface.
That would seem to me to suggest that this draft is targeted at an RFC
7084 router.
RFC7368 (The Homenet Architecture) is explicit in section 3.2.2.3 that
dual ISP links on one single CER are supported.
So what happens if one ISP states in a CER-ID reply that this DHCPv6
client router is the CER, and another ISP states via the same CER-ID
mechanism, responding from a different DHCPv6 server, that this router
is not the CER?
I therefore think all DHCPv6 based management mechanisms are pretty much
doomed to failure, unless they can explicitly resolve conflicting
configuration information.
On Oct 27, 2014, at 8:59 AM, Michael Kloberdans<[email protected]>
wrote:
Ola,
I¹d like to better understand your comment about a misconfigured router
being a security issue.
In the eRouter implementation, the CER is automatically determined. The
only way a router would be misconfigured is if the home owner or someone
else with local access manually changes the CER. Perhaps I¹m missing
something. Please expound - I¹m grateful for all comments.
Regards,
Michael Kloberdans
Lead Architect / Home Networking CableLabs®
858 Coal Creek Circle. Louisville, CO. 80027
303-661-3813 (v)
On 10/27/14, 9:00 AM, "Ola Thoresen"<[email protected]> wrote:
On 27.10.2014, at 16.17, Michael Kloberdans<[email protected]>
wrote:
All home routers should know their role; CER or IR. The status of CER
places the burden of providing the firewall and NAPT as it was
determined
to be the edge router. The interior routers need to understand their
role
and disable their firewall and NAPT abilities. This is why the
CER-ID is
a numeric value (indicating CER status) or a double colon (indicating
IR
status).
I agree with that. However, I disagree with how you are doing it.
In the case of the eRouter (combined cable modem and
router/switch/wireless), it performs a /48 check between the IA_NA
and the
IA_PD ranges. If the ISP sends a double colon or null in the CER-ID
ORO,
AND if the IA_NA is in a different /48 than the given IA_PD, the
eRouter
becomes the CER. It must now declare to the IRs that it is the CER.
A
directly connected IR will see the CER value in the ORO and, in the
absence of another controlling protocol, disable its firewall and NAPT
functions.
Why cannot it determine it is CER by bits coming from particular type of
plug? Cable modem plug looks different from ethernet/wireless? It would
be
much more secure that way.
But that would not work if the router only has ethernet-ports - which is
probably the case if the customer has various kinds of FTTH (many of
these will use Fast/Gig-ethernet over copper for the last meters in to
the CPE).
However I do agree that the suggested solution seems sub optimal. It is
way to easy for a misconfigured router to disable all local security (IE.
turning off firewalling) without the network owners knowledge.
/Ola (T)
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
--
Regards,
RayH
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
