Re: [homenet] IPv6 & firewall config in a home net

[Ted Lemon]

On Sep 2, 2019, at 1:58 PM, Michael Richardson  wrote:
> Question: do PCP messages always go to the default route?  I re-read 6887 and
> that was unclear. RFC7488 did not clarify for me.

PCP requests go to the PCP server the client chooses.   PCP servers can 
currently only be advertised using DHCP.   If there are multiple PCP servers, 
the client has to register with all of them.   A PCP server should know whether 
it makes sense to register a port/address combination with it.

> How does it work if there are multiple layers of router?

I believe that the PCP server on the inner router communicates with the PCP 
server on the outer router, but I’d have to double check.

On 05/09/2019 14:45, Ray Hunter (v6ops) wrote:
> That will likely mean regular renumbering of IA PD by ISP's as the norm
> rather than the exception.

It should be assumed to be the rule, so that if it is the rule, it is handled 
correctly.

On Sep 2, 2019, at 1:47 PM, Michael Richardson  wrote:
> Assuming that the prefix change is make-before-break (which we do not clearly
> know how to do on the WAN side, I think), then the web server should
> configure with the same rfc7212 IID, but a new prefix.

I don’t think there’s any need for the IID to be persistent.   
Make-before-break is accomplished by deprecating the old prefix when the new 
prefix is added.   This is trivial to do; whether it is in fact done is a 
different matter.   I think that at present the client would have to notice 
that it’s happened.

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] IPv6 & firewall config in a home net

[Stephen Farrell]

On 05/09/2019 14:45, Ray Hunter (v6ops) wrote:
> That will likely mean regular renumbering of IA PD by ISP's as the norm
> rather than the exception.

I get a bit of both. If there's a power outage or some other
kinds of service outage I don't get, then I get renumbered
when some bit of ISP kit reboots. Happens about 2-3 times a
year maybe.

S.


0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] IPv6 & firewall config in a home net

[Ray Hunter (v6ops)]

mal.hub...@bt.com wrote on 02/09/2019 17:55:


Hey,

Mal here. IETF attendee since 2012 ;)

I have a home networking question with respect to IPv6 standards, I’m 
hoping to use you as a sounding board first before I take it to v6ops.


The scenario here is a home / soho network situation where the user 
wants to host a service, lets say its a webserver, but really could be 
any hosted application, importantly using IPv6. The router is setup to 
use SLAAC only.


The ISP offers IPv6 GUA addressing in a non-stable manor, its "sticky" 
but at some point in the future it might change (BNG reboot for example),


IMHO Expected behavior. Many European data protection people consider an 
IP(v6) address to be privacy-sensitive personal data.
That will likely mean regular renumbering of IA PD by ISP's as the norm 
rather than the exception.


so the user will use DynDNS provider to provide a stable name for 
their service, this sounds OK so far.


External users should also be using a name rather than a (time variant) 
IPv6 address.


Please be so kind as to review our draft 
https://tools.ietf.org/html/draft-ietf-homenet-front-end-naming-delegation-08


[Hopefully a new version will be forthcoming soon]

This is precisely one of our use-cases.

The user has to allow the webserver port, 443 in their router GUI 
firewall to allow the traffic in, sounds simple enough. Importantly it 
should be to that webserver device only.


Now the tricky part….

Since in this scenario the webserver device is using privacy 
extensions, it has a bunch of IPv6 GUA addresses and no EUI-64 and


- It has Temporary addressing (which will regularly change)

- It has a "Permanent" address (which is the one the webserver will 
want to use)



The webserver should not be using privacy extensions for inbound sessions.

It really should be using https://tools.ietf.org/html/rfc7217


Does this sound reasonable and make sense so far ? Cool.

In the router GUI the user is presented with a list of "devices" for 
which the router can open up TCP 443 in the firewall.


It is reasonable to assume the user does not want to type in the 
Permanent IPv6 address of the device, as it is poor CX and anyway it 
will change in the future (possibly due to a network change / BNG 
restart etc as mentioned)



Correct.


Current routers on the market I have come across have either:

 1. Open the port to the current temporary address only which means
that inbound connections on the port usually fails right away (if
the webserver is not listening on that address) – or fail after
the temporary address changes.
 2. Opens the port to the correct address (by chance)
 1. - But then fails at some point in the future when the network
prefix changes (as router drops the rule when the prefix changes).
 3. Opens the port to some or ALL addresses currently (& sometimes
historically) associated with the mac address of the device  (not
great for security – spoofing? )
 1. But even that sometimes excludes the permanent address
 4. Opens the port to all addresses on LAN (not great for security at all)

  * Basically the routers firewall config gui doesn’t know reliably
which device address is the permanent one. 


  * Should there exist a mechanism to signal to the router or the
router can accurately learn which of the devices addresses should
be used for configuration in the firewall ?


Yes. via PCP RFC6887 et al.


 *


Is this a problem – have I missed something – Is it worth fixing ?

Yes. - RFC8520? although there's still a gap for policy IMHO (does a 
user want to accept what the manufacturer suggested) - Yes.


Thoughts:

This is probably a strange thing for the user to do (but I have had 
users trying to do it). Its usually fixed for a customer by switching 
off privacy extensions / using EUI-64 so basically giving the device a 
single address for the router gui to identify the device by.


I personally hope this becomes more common, to avoid the need for NAT, 
rendezvous points, dependence on central certificate instances etc.


Mal



___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet


--
regards,
RayH

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet