Re: CPEs

[james woodyatt <jhw@apple.com>]

On Jan 9, 2008, at 09:08, Bound, Jim wrote:
> [ Iljitsch van Beijnum wrote: ]
> > [ Jim Bound wrote: ]
> > > [ Iljitsch van Beijnum wrote: ]
> > > > 7. Is the model where there is a CPE with modem functionality  
> > > > but not router functionality a reasonable one?
> > > I don't think so and this should be transparent to v6ops mission  
> > > for this thread is my input.
> > Reason for the question: if ISPs insist on CPEs with modem and  
> > router functionality integrated, we can skip some issues (RAs from  
> > ISP to customer) but that means the ISP - CPE interface becomes  
> > more important because if it doesn't work right the user is left  
> > without recourse.
> True but I still think that is transparent to the modem and this is  
> really how are RAs/RSs going to work for a home environment.
> Important question is this work or model to be only for the home  
> CPE end and not other target markets for IPv6 deployment?
I'm okay with a model that says CPE for the residential and small- 
office markets have different requirements than CPE for middle and  
large enterprise sites.
> > > > 13. How many devices are allowed to connect to a CPE(m)?
> > > Absolutely none of the IETF's business.  Sorry this is a product  
> > > feature set for the vendors.
> > It's more an ISP issue. If ISPs want this to be exactly one,  
> > vendors can build in logic that avoids problems when a user tries  
> > to connect multiple devices anyway.
> Yep but still not the IETFs business.
I suspect IETF ought to give some consideration to what might happen  
if ISP's deploy such logic and 3rd parties begin offering solutions  
to "connect" multiple devices that present to the ISP as if they are  
the single device for which they are billed for service.
> > > > 19. How do users authorize third-party devices (ranging from gas  
> > > > meters to set top boxes) use of their broadband connection?
> > > Sorry not the IETF's  business.
> > True. But the answer is important for us: if it's "put them in a  
> > separate subnet" this means the CPE model must support multiple  
> > subnets.
> Here I must disagree.  There is a difference between IP config for  
> example multiple subnets and then securing devices.  I don't  
> believe many now agree securing devices based on IP subnet is  
> optimal or secure other than using the IP config to locate the  
> devices.  One view against doing this is if the one subnet is  
> compromised then all those 3rd party devices are compromised.  Also  
> this breaks entirely the view of distributed networking across IP  
> subnets for the advantages a subnet provides and that would be  
> unavailable to those devices.
This question has a very simple answer for the "simple CPE security  
model" side of the discussion.
Users authorize 3rd-party devices to consume their broadband resource  
by allowing them to receive router advertisements— typically by  
plugging in the ethernet cable or joining the wireless access network.
I think it would be wise to recommend that those 3rd-party devices,  
which can operate without access to the global Internet, should be  
configured by default not to assign global scope interface addresses  
upon receiving router advertisements (i.e. assign only link-local  
addresses to all interfaces and process router advertisements only to  
learn about on-link prefixes).
I can think of some additional ways to support network segregation  
inside residential and small-office sites, but I think we should  
settle the easier disputes before moving on to the harder ones.

--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering