I am reporting back to the working group on the CPE REquirements
design team, and specifically a question Alain raised this
afternoon. I think it is something the IPv6 operational community,
and by extension the IPv6 community, needs to think about. For
context, I have included several emails from the thread including my
own, which opened it, Alain's, which asked some very important
questions, and my own reply to Alain's note. I have also included a
couple of others which I thought were important.
I would like the v6ops community to discuss this and come to some
conclusion that can guide the CPE Requirements development. It may
be worthwhile documenting that conclusion and the assumptions it is
based on in an RFC. We are dealing at least in part with a world
view question, and we need a rational and agreed world view.
Begin forwarded message:
From: Fred Baker <fred@cisco.com>
Date: January 3, 2008 12:15:44 PM PST
To: V6CPE Design Team <v6ops-residential-cpe-design-team@external.cisco.com
>
Cc: v6ops-ads@tools.ietf.org, Kurt Erik Lindqvist <kurtis@kurtis.pp.se
>
Subject: Wondering if we're on the same wavelength
As we're going through this discussion, I'm wondering if we have it
structured right. It seems like we are not working on a single set
of requirements on which we basically agree, which is
characteristic of a design team. Rather, we have a very polarized
discussion between two very different sets of people. One set, the
folks who make CPEs, are being told in no uncertain terms by their
customers that they need to provide firewall functionality, and
some customers require NAT functionality for reasons unrelated to
firewalling. The other group, which AFAIK have no skin in the CPE
game, are (in some cases adamantly) opposed to the deployment of
firewalls.
Would we have a more productive discussion if this were separated
into two separate teams and resultant documents, each describing
and arguing for its version of the universe? If so, who would like
to take the lead on the "we don't need no stinkin firewalls" model?
From: Alain Durand <alain_durand@cable.comcast.com>
Date: January 3, 2008 1:22:01 PM PST
To: Fred Baker <fred@cisco.com>, V6CPE Design Team <v6ops-residential-cpe-design-team@external.cisco.com
>
Cc: <v6ops-ads@tools.ietf.org>, Kurt Erik Lindqvist <kurtis@kurtis.pp.se
>
Subject: Re: Wondering if we're on the same wavelength
Fred,
IMHO, what is missing is a broader understanding of what I call the
new "social contract" in IPv6 broadband land...
In IPv4 broadband land, there is a pretty well accepted "social
contract":
- Customer get one IPv4 address that can change over time
- Customer use/rent/own a NAT box to create more address space,
isolate himself/herself from external IP address change, get
the so-called security benefits of NAT or whatever over local
reason
- the "security model" is mainly defined as: all devices within
the home
network belong to the customer, are mostly unmanaged and
a security perimeter is defined by the home router to "protect"
the
good inside from the "evil" outside.
- The ISP has very little if any view of the devices in the home
south
of the home gateway
- There is little DNS in place
Note: all this is a direct consequence of the NAT model
In the brave new world of IPv6, the plethora of address space
impose on us to revisit this model, mainly because NAT is not
required to connect more than one device. Note that I said not
required, which does not mean it will not be part of the picture in
one form or another, if only in the NAT v4/v6/v4 that I described
last IETF.
So, IMHO, what is needed is for the industry at large (and not just
a few experts) to open up a discussion of what this social contract
now will look like in IPv6, in other words, what kind of networks
and network usage are we looking at, and not just now, but looking
ahead...
Essentially, we must *collectively* answer a number of questions:
- How much space is assigned per customer
This is the trivial one that is being discussed right now
- Is there any routing within the home?
- Is this address space "stable" over time or is it expected
to be changeable by the ISP? There are huge ramification in the
local routing & provisioning complex depending how you answer
this
question
- What is(are) the management model(s) of the home?
Is the customer expected to manage alone his network? How can
the ISP
usefully help? What about in-home devices operated/owned/under
contract
with either the ISP or a 3rd party?
- What should be the new security model?
- How to manage the name space?
I'm concerned we will not make much progress on the firewall issue
until we have a better understanding of the broader issue I
described above. And honestly, I think we are just at the very
beginning.
- Alain.
From: Fred Baker <fred@cisco.com>
Date: January 3, 2008 2:32:46 PM PST
To: Alain Durand <alain_durand@cable.comcast.com>
Cc: V6CPE Design Team <v6ops-residential-cpe-design-team@external.cisco.com
>, <v6ops-ads@tools.ietf.org>, Kurt Erik Lindqvist <kurtis@kurtis.pp.se
>
Subject: Re: Wondering if we're on the same wavelength
You raise some important questions. I think there are some more you
need to ask.
I have attached a network map of my home. It is somewhat out of
date; last summer, my folks-in-law moved in with us as as such as
now have TV service in the home, and as a result two set-top boxes.
They are right now on the TV coax apart from control, which is done
via a combination of a direct radio interface and the wifi network,
but in the future one might expect them to come onto the IP network
in full.
On Jan 3, 2008, at 1:22 PM, Alain Durand wrote:
Fred,
IMHO, what is missing is a broader understanding of what I call
the new "social contract" in IPv6 broadband land...
In IPv4 broadband land, there is a pretty well accepted "social
contract":
- Customer get one IPv4 address that can change over time
- Customer use/rent/own a NAT box to create more address space,
isolate himself/herself from external IP address change, get
the so-called security benefits of NAT or whatever over local
reason
- the "security model" is mainly defined as: all devices within
the home
network belong to the customer, are mostly unmanaged and
a security perimeter is defined by the home router to
"protect" the
good inside from the "evil" outside.
- The ISP has very little if any view of the devices in the home
south
of the home gateway
- There is little DNS in place
Note: all this is a direct consequence of the NAT model
I'll add that they are also consequences of ownership. The ISP, Cox
Business Services in my case, supplies the Cable Modem and the set-
top box, but apart from that the equipment in my home belongs to
me. As a customer, I would be very surprised if my ISP tried to
assert any control over anything it didn't own apart from a
specific contractual agreement permitting it to do so. It would be
enough for me to terminate my contract with the ISP. If my ISP
announced to me that it thought there was a new social contract
that I as a consumer was supposed to accept but was not a party to,
that would likewise be the end of my legal contract. The services
my ISP offers in my home are there because I choose them and choose
to pay for them, not because the ISP wants them to be there.
In the brave new world of IPv6, the plethora of address space
impose on us to revisit this model, mainly because NAT is not
required to connect more than one device. Note that I said not
required, which does not mean it will not be part of the picture
in one form or another, if only in the NAT v4/v6/v4 that I
described last IETF.
Certainly, as a customer I expect to have my router obtain an
address (ND or DHCP) and other configuration information, including
a delegated prefix.
So, IMHO, what is needed is for the industry at large (and not
just a few experts) to open up a discussion of what this social
contract now will look like in IPv6, in other words, what kind of
networks and network usage are we looking at, and not just now,
but looking ahead...
Essentially, we must *collectively* answer a number of questions:
- How much space is assigned per customer
This is the trivial one that is being discussed right now
yes.
- Is there any routing within the home?
I suspect that there are multiple classes of home here. In my case,
my company's information security policy requires me to have
routing in the home - by whatever means, my office equipment is not
accessible from the rest of my home.
- Is this address space "stable" over time or is it expected
to be changeable by the ISP? There are huge ramification in the
local routing & provisioning complex depending how you answer
this
question
That relates to some of the questions in RRG. If my ISP is
designing the network in my home, I guarantee that the home will
not be multihomed. Since that is not reality (my home isn't
multihomed, but Kurtis' and Jari's are), ergo, the ISP is not
designing or managing the network in my home. This in part is the
issue being addressed in draft-baker-6man-multiprefix-default-
route; if I in fact have multiple prefixes in the home, I want to
send my datagrams using an address to the ISP that gave me the
address. This is a lot easier with Metro Addressing (the ISPs
manage a prefix for the routing domain, which may be similar to a
geographical region) or with a GSE-like model such as Christian
Vogt suggests.
In any event, if the ISP is provisioning me with a prefix, and I am
routing in the home, I expect to have a rational system for using
that prefix.
- What is(are) the management model(s) of the home?
Is the customer expected to manage alone his network? How can
the ISP
usefully help? What about in-home devices operated/owned/under
contract
with either the ISP or a 3rd party?
I expect the set-top box and other devices supporting services that
I contract for to come with instructions for what I am supposed to
do with them in my home. The ISP is a guest in my home, or perhaps
a servant like the maid or the butler, and will be replaced the
instant it forgets that.
- What should be the new security model?
yes.
- How to manage the name space?
Why would management of the name space for my home be different for
IPv6 than it would be for IPv4? At the end of the day, if I am
offering services from my home and using DNS to do them, I would
like the fact of getting an A or a AAAA record to be something I
only discover after the fact, not something inherent in the name.
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Date: January 3, 2008 1:50:43 PM PST
To: Fred Baker <fred@cisco.com>
Cc: V6CPE Design Team <v6ops-residential-cpe-design-team@external.cisco.com
>, v6ops-ads@tools.ietf.org, Kurt Erik Lindqvist
<kurtis@kurtis.pp.se>
Subject: Re: Wondering if we're on the same wavelength
I think there are three universes :
1) all end devices don't do firewalling, so the CPE has to do that
for them
2) some end devices don't do firewalling, so the CPE has to do that
for them. For the devices do do firewalling, how can we stop the
CPE firewall getting in their way
3) all end devices do firewalling, so the CPE shouldn't, because
it'll only get in the way
Actually, thats more of a continuum than 3 separate universes.
My argument is that it's trending towards 3. Because IPv6 is
new(ish),
it's possible that with IPv6 we might reach 3 much more quicly than
we'll ever reach it in IPv4.
That being said, it has occured to me that we might have overlooked
that there's already lots of IPv6 CPE in Asia, and lots of IPv6
enabled
devices available (STBs, CCTV cameras etc.) Maybe we should find out
how they've approached the problem before we spend time resolving it.
Regards,
Mark.
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: January 3, 2008 2:15:55 PM PST
To: Alain Durand <alain_durand@cable.comcast.com>
Cc: Fred Baker <fred@cisco.com>, V6CPE Design Team <v6ops-residential-cpe-design-team@external.cisco.com
>, <v6ops-ads@tools.ietf.org>, Kurt Erik Lindqvist <kurtis@kurtis.pp.se
>
Subject: Re: Wondering if we're on the same wavelength
On 3 jan 2008, at 22:22, Alain Durand wrote:
Essentially, we must *collectively* answer a number of questions:
[...]
I'm concerned we will not make much progress on the firewall issue
until we
have a better understanding of the broader issue I described
above. And
honestly, I think we are just at the very beginning.
I largely agree.
Would it be useful to see if we can define a number of deployment
scenarios and then present those to the community at large it/we
can reach consensus about which ones we should go forward with?
There are currently many discussions going on about bridging/
routing CPEs, address provisioning, internal subnet allocation etc
(and some of those discussions weren't even started by me!). Until
we have some industry-wide agreement on this stuff rolling out IPv6
for consumers will be very complex.
As to Fred's question: I think it's useful to hash things out here,
ignoring the occassional rant it seems we can find a decent amount
of common ground. If we go off in separate groups that only means
we'll have to have these fights in public... On the other hand, if
the CPE builders feel they can do better work without the firewall
skeptics I can live with that.
<Fred_home_network.pdf>