That's an interesting use case, with definite application, but I wonder if it's really compelling in the case of the simple CPE Router.
When CPE Routers are cascaded, the cascaded router is generally directly connected to the upstream router, so that there would be no added efficiencies from this.
Also, service providers that I talk to are quite adamant about not wanting to see RAs coming at them from the WAN interfaces of CPE Routers. I could easily envision some SPs disabling connections where they see RAs. So CPE Routers that did this could potentially create a very bad user experience, if there were Terms and Conditions (that the customer agreed to but didn't read or necessarily understand) that said it was forbidden for them to have their router send RAs.
I would rather if sending RAs out a WAN interface were considered a function for medium/high end business or enterprise routers, but not CPE routers. I think you will see CPE routers supplied by service providers will not do RA (or any other route advertisement) to the WAN.
Barbara
----- Original Message -----
From: owner-v6ops@ops.ietf.org <owner-v6ops@ops.ietf.org>
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: IPv6 Operations <v6ops@ops.ietf.org>
Sent: Thu Mar 26 15:36:16 2009
Subject: Re: draft-wbeebee-ipv6-cpe-router-04 comments
On Thu, 26 Mar 2009, Mikael Abrahamsson wrote:
> This sound like a huge security problem, how are those implications handled?
> Wouldn't the L2 device in the CO need to be able to inspect all these
> messages and drop ones which are not assigned to that specific customer by
> the ISP?
Perhaps you're assuming that multiple customers are sharing the same
subnet? In the case where customers do NOT share subnets, I fail to see
how this adds a security problem that didn't already exist before. In
IPv4, if a DSL provider gives a customer a /28 instead of /30 for the WAN
link, that customer could easily hang multiple CPE routers off of their
WAN-side ethernet switch now and they could talk to each other. Some of
our customers use their WAN subnet as a DMZ and their routers are
firewalls. But the communication on the WAN subnet between customer
devices stays on the local ethernet switch and shouldn't traverse the DSL
loop. I don't think we should cripple that capability for IPv6.
Antonio Querubin
whois: AQ7-ARIN
*****
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. GA621