[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CPEs

To: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: CPEs
From: james woodyatt <jhw@apple.com>
Date: Mon, 7 Jan 2008 10:54:16 -0800
In-reply-to: <200801071811.41399.rdenis@simphalempin.com>
References: <58BFC685-DA33-418A-A37A-9075509987D4@muada.com> <200801071811.41399.rdenis@simphalempin.com>

On Jan 7, 2008, at 08:11, Rémi Denis-Courmont wrote:

Le Friday 04 January 2008 14:34:38 Iljitsch van Beijnum, vous avezécrit :
Security

1. Do we all agree that a model where there is stateful filtering by
default, but applications can request incoming sessions is what we
should aim for?
It is pretty clear at this point, that there will be statefulfirewalling inmany SOHO deployments. As such, we clearly need a hole openingmechanism. Orthen we close the IETF transport area, and declare that there shallonly be
UDP and client-to-server TCP from now on :o
What I am really worried however is, if we don't clearly state HOWstatefulfirewalling should be done, or if we do, but vendors ignore us,we'll end up
with the same issues as with IPv4+NAT:
- UDP working "client-to-client", but with battery-hungry shortrefresh
timers,
- TCP only works client-to-server only (so client-to-clientcongestion control
is non-existent at the transport layer),
- everything else does not work reliably.


I concur.

2. Or should the opening up of incoming ports go through the OS,
rather than be signalled directly from applications to the CPE?
I don't understand the question. The OS will always be sittingbetween theapplication and the CPE in any case, by virtue of providing thesocket API,
the network stacks and drivers, and possibly the local firewall.

This is already happening in the OS for IPv4/NAT. That's where theNAT-PMP and UPnP IGD support is coded. Application developers aren'trolling their own implementations of those protocols. They'rerelying on the OS to provide them with APIs.

I see no reason to burden application developers with newrequirements just to use IPv6 instead of IPv4/NAT.

3. Should a host have the option of signalling to a CPE that it
doesn't require any filtering?


It would probably be useful in some scenarios.

No. No, no, no. Firewalls don't care what nodes think are theirfiltering requirements. Policy is decided by the firewalladministrator and enforced in the network middlebox.

The *only* reason for nodes to signal anything to a firewall is togive it a chance to be more transparent than it would otherwise bewithout the signaling. Nodes can tell firewalls things like "I'maccepting arbitrary incoming flows at this network address [thesetransport addresses]." That allows firewalls to get out of the way*IF* policy allows. Without such signaling, no policy is possibleand stateful firewalls must resort to blocking all incoming flowsbecause they don't know which are solicited and which are not.

5. Can we assume the presence of DHCPv6 prefix delegation in CPEs?


No.  Or, at least, not yet.

6. Can we assume the presence of DHCPv6 address assignment inclients?
No.

No.

It's not available in most of them now, so how would we get to such a
state and how soon?
I think we won't get to such a state that we could assume pervasiveDHCPv6.
What's wrong with giving ICMPv6 autoconf for end nodes anyway?


Nothing.

7. Is the model where there is a CPE with modem functionality but not
router functionality a reasonable one?
Maybe it depends on the definition of CPE. There are non-routingmodems, andthere are SOHO routers without modems, and I assume they'llcontinue to
exist.
8. Do we want to ISPs to provide RAs to customers in the case where 6
= no and 7 = yes? If not, then what?
Maybe if the end node is dumb and does not do DHCPv6, it could berequired toneed a CPE? I suppose general purpose computers have or will haveDHCPv6 at
some point. Not sure about, say Apple though.


Mac OS X does not support DHCP6.  I can't say when or if it ever will.

16. How do we expect customer devices to enter into the DNS?


I am not sure we need DNS here.


It's a luxury item.

18. Should IPv6 hosts be prepared to operate without a workingreverse
DNS entry?
They'd better do it, because there are deployed IPv6 networkswithout reverse
DNS. Especially if the host uses privacy addresses.

We're going to need privacy addresses once IPv6 worm authors startharvesting target addresses from server logs and honeypots.



--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

Follow-Ups:
- Re: CPEs
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: CPEs
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: CPEs
  - From: Christian Huitema <huitema@windows.microsoft.com>

References:
- CPEs
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: CPEs
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>

Prev by Date: Re: CPEs
Next by Date: RE: CPEs
Previous by thread: Re: CPEs
Next by thread: RE: CPEs
Index(es):
- Date
- Thread