Hi, On Tue, Feb 16, 2021 at 08:49:58AM -0500, Ted Lemon wrote: > On Feb 16, 2021, at 8:37 AM, Gert Doering <[email protected]> wrote: > > Not sure what of that is "of course" and what "routes to the IoT network" > > might be??? > > Router Advertisements advertise routers, prefixes, and routes, among > other things. They can advertise a default router (and hence a default > route), or they can advertise a non-default router that provides more > specific routes, for example to an IoT stub network.
You say! I wouldn't have guessed that.
So, where would that IoT network get their addresses from?
How would the router in my house know that it should listen to this
RA, so other routed segments will be able to reach the IOT segment?
(Routers do usually do not listen to RAs)
How would my machines be able to differenciate between "this is a good
RA" and "everything else that is sending a RA around is not"?
> FWIW, the situation for IoT (stub) networks is no different than
> the situation for multi-homing: you have two routers connected to
> the same link, both multicasting RAs to the link. Which one do you
> want your network infrastructure to automatically filter?
Arguably dual-RA multihoming is not working very well today.
Like, "not at all".
Because hosts do not send their outgoing packets to the "right" router,
depending on source address, even if they should - and because routers do
not honour RAs, so if the hosts sends a packet to the "wrong" router,
it will not be forwarded by "router A" to "router B", so it can be sent
to the correct ISP. Assuming BCP38 filtering on the ISP side, of course.
HNCP had/has the potential to make that work in a very nice way.
Coming back to the original question: I think permitting some random
device to inject RAs into arbitrary networks to connect IoT stub networks
fully conforms to the mantra "the 'S' in IoT stands for 'Security'"...
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
signature.asc
Description: PGP signature
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
