Re: [homenet] IPv6 & firewall config in a home net
Ted Lemon wrote: > Your router should be using PCP to allow servers to open ports and > should have a GUI to authorize that, or better yet support MUD profiles > and use the GUI to control that. I meant to mention PCP as well. Question: do PCP messages always go to the default route? I re-read 6887 and that was unclear. RFC7488 did not clarify for me. How does it work if there are multiple layers of router? -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] IPv6 & firewall config in a home net
wrote: > I have a home networking question with respect to IPv6 standards, I'm > hoping to use you as a sounding board first before I take it to v6ops. okay. > The scenario here is a home / soho network situation where the user > wants to host a service, lets say its a webserver, but really could be > any hosted application, importantly using IPv6. The router is setup to > use SLAAC only. Understood. Why is SLAAC important here? > The ISP offers IPv6 GUA addressing in a non-stable manor, its "sticky" > but at some point in the future it might change (BNG reboot for > example), so the user will use DynDNS provider to provide a stable name > for their service, this sounds OK so far. sure, or can use the front-end naming mechanism that this WG is working on. > The user has to allow the webserver port, 443 in their router GUI > firewall to allow the traffic in, sounds simple enough. Importantly it > should be to that webserver device only. Fair enough. > Now the tricky part > Since in this scenario the webserver device is using privacy > extensions, it has a bunch of IPv6 GUA addresses and no EUI-64 and > - It has Temporary addressing (which will regularly change) > - It has a "Permanent" address (which is the one the webserver will want to use) > Does this sound reasonable and make sense so far ? Cool. Yes, so an rfc7217 address. > In the router GUI the user is presented with a list of "devices" for > which the router can open up TCP 443 in the firewall. How does the router get this list? This is important. Is this a list of names, or a list of addresses? > It is reasonable to assume the user does not want to type in the > Permanent IPv6 address of the device, as it is poor CX and anyway it > will change in the future (possibly due to a network change / BNG > restart etc as mentioned) It seems reasonable that the user is given a list of names. The names would ideally come from DNS-SD's SRP. > Current routers on the market I have come across have either: > 1. Open the port to the current temporary address only which means > that inbound connections on the port usually fails right away (if the > webserver is not listening on that address) - or fail after the > temporary address changes. that's not useful. > 2. Opens the port to the correct address (by chance) > * - But then fails at some point in the future when the network > prefix changes (as router drops the rule when the prefix changes). Assuming that the prefix change is make-before-break (which we do not clearly know how to do on the WAN side, I think), then the web server should configure with the same rfc7212 IID, but a new prefix. > 3. Opens the port to some or ALL addresses currently (& sometimes > historically) associated with the mac address of the device (not great > for security - spoofing? ) > * But even that sometimes excludes the permanent address Hmm. How does it know those addresses are all the same device? If the router can tell, maybe the privacy addresses aren't very private :-) > 4. Opens the port to all addresses on LAN (not great for security at all) no. > * Basically the routers firewall config gui doesn't know reliably > which device address is the permanent one. > * Should there exist a mechanism to signal to the router or the > router can accurately learn which of the devices addresses should be > used for configuration in the firewall ? > Is this a problem - have I missed something - Is it worth fixing ? Yes, it's worth fixing. Note that RFC8520 (MUD) could also be used by the web server to announce it's need. In particular if the web server is running on a multi-purpose host, having it configure an extra rfc7217 address JUST for it, and then using DHCPv6 to communicate it's MUD file would make sense. The router owner would need to affirm that this is desired communications. (Yes, there are missing APIs in general-purpose operating systems to make this happen) > Thoughts: > This is probably a strange thing for the user to do (but I have had > users trying to do it). Its usually fixed for a customer by switching > off privacy extensions / using EUI-64 so basically giving the device a > single address for the router gui to identify the device by. Being able to open connections into services, particularly doing so for some subset of the Internet (your alarm monitoring company, work or mobile access to you nanny cam, etc) is one of the "killer app" for IPv6 in the home. So I don't think it's strange, and it has to "just work" for users without dances. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- signature.asc Description: PGP signature ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo
Re: [homenet] IPv6 & firewall config in a home net
Your router should be using PCP to allow servers to open ports and should have a GUI to authorize that, or better yet support MUD profiles and use the GUI to control that. Sent from my iPhone > On Sep 2, 2019, at 11:55, mal.hub...@bt.com wrote: > > > Hey, > > Mal here. IETF attendee since 2012 ;) > > I have a home networking question with respect to IPv6 standards, I’m hoping > to use you as a sounding board first before I take it to v6ops. > > The scenario here is a home / soho network situation where the user wants to > host a service, lets say its a webserver, but really could be any hosted > application, importantly using IPv6. The router is setup to use SLAAC only. > > The ISP offers IPv6 GUA addressing in a non-stable manor, its "sticky" but at > some point in the future it might change (BNG reboot for example), so the > user will use DynDNS provider to provide a stable name for their service, > this sounds OK so far. > > The user has to allow the webserver port, 443 in their router GUI firewall to > allow the traffic in, sounds simple enough. Importantly it should be to that > webserver device only. > > Now the tricky part…. > > Since in this scenario the webserver device is using privacy extensions, it > has a bunch of IPv6 GUA addresses and no EUI-64 and > - It has Temporary addressing (which will regularly change) > - It has a "Permanent" address (which is the one the webserver will want to > use) > > Does this sound reasonable and make sense so far ? Cool. > > > In the router GUI the user is presented with a list of "devices" for which > the router can open up TCP 443 in the firewall. > > It is reasonable to assume the user does not want to type in the Permanent > IPv6 address of the device, as it is poor CX and anyway it will change in the > future (possibly due to a network change / BNG restart etc as mentioned) > > Current routers on the market I have come across have either: > > Open the port to the current temporary address only which means that inbound > connections on the port usually fails right away (if the webserver is not > listening on that address) – or fail after the temporary address changes. > Opens the port to the correct address (by chance) > - But then fails at some point in the future when the network prefix changes > (as router drops the rule when the prefix changes). > Opens the port to some or ALL addresses currently (& sometimes historically) > associated with the mac address of the device (not great for security – > spoofing? ) > But even that sometimes excludes the permanent address > Opens the port to all addresses on LAN (not great for security at all) > > Basically the routers firewall config gui doesn’t know reliably which device > address is the permanent one. > > Should there exist a mechanism to signal to the router or the router can > accurately learn which of the devices addresses should be used for > configuration in the firewall ? > > Is this a problem – have I missed something – Is it worth fixing ? > > > Thoughts: > This is probably a strange thing for the user to do (but I have had users > trying to do it). Its usually fixed for a customer by switching off privacy > extensions / using EUI-64 so basically giving the device a single address for > the router gui to identify the device by. > > Mal > > ___ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
[homenet] IPv6 & firewall config in a home net
Hey, Mal here. IETF attendee since 2012 ;) I have a home networking question with respect to IPv6 standards, I'm hoping to use you as a sounding board first before I take it to v6ops. The scenario here is a home / soho network situation where the user wants to host a service, lets say its a webserver, but really could be any hosted application, importantly using IPv6. The router is setup to use SLAAC only. The ISP offers IPv6 GUA addressing in a non-stable manor, its "sticky" but at some point in the future it might change (BNG reboot for example), so the user will use DynDNS provider to provide a stable name for their service, this sounds OK so far. The user has to allow the webserver port, 443 in their router GUI firewall to allow the traffic in, sounds simple enough. Importantly it should be to that webserver device only. Now the tricky part Since in this scenario the webserver device is using privacy extensions, it has a bunch of IPv6 GUA addresses and no EUI-64 and - It has Temporary addressing (which will regularly change) - It has a "Permanent" address (which is the one the webserver will want to use) Does this sound reasonable and make sense so far ? Cool. In the router GUI the user is presented with a list of "devices" for which the router can open up TCP 443 in the firewall. It is reasonable to assume the user does not want to type in the Permanent IPv6 address of the device, as it is poor CX and anyway it will change in the future (possibly due to a network change / BNG restart etc as mentioned) Current routers on the market I have come across have either: 1. Open the port to the current temporary address only which means that inbound connections on the port usually fails right away (if the webserver is not listening on that address) - or fail after the temporary address changes. 2. Opens the port to the correct address (by chance) * - But then fails at some point in the future when the network prefix changes (as router drops the rule when the prefix changes). 3. Opens the port to some or ALL addresses currently (& sometimes historically) associated with the mac address of the device (not great for security - spoofing? ) * But even that sometimes excludes the permanent address 4. Opens the port to all addresses on LAN (not great for security at all) * Basically the routers firewall config gui doesn't know reliably which device address is the permanent one. * Should there exist a mechanism to signal to the router or the router can accurately learn which of the devices addresses should be used for configuration in the firewall ? Is this a problem - have I missed something - Is it worth fixing ? Thoughts: This is probably a strange thing for the user to do (but I have had users trying to do it). Its usually fixed for a customer by switching off privacy extensions / using EUI-64 so basically giving the device a single address for the router gui to identify the device by. Mal ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
