Re: AW: draft-wbeebee-ipv6-cpe-router-04 comments

[Mark Baugher <mbaugher@cisco.com>]

References: <93123C20-3758-43C8-9201-22CB6D5B6233@apple.com><2bbba3c10903231639t51dac3c3p57e1a4562bd342c4@mail.gmail.com><EE8F7462-7233-4E0B-9CEB-FA2B7A2D15B3@apple.com><2bbba3c10903231828g79b0207cnf4b53959e0a21706@mail.gmail.com><30020A2D-4EE5-4F86-A1E5-532990B44D4F@apple.com><BB56240F3A190F469C52A57138047A0301FBC00A@xmb-rtp-211.amer.cisco.com><9AE362E6-46E1-4400-B1E3-F6B4D5392C06@apple.com><B00EDD615E3C5344B0FFCBA910CF7E1D06C87A9C@xmb-rtp-20e.amer.cisco.com><C4A0A0F2-FB98-4BCD-9FD4-5F58A61B3D9D@apple.com><20090326192455.dbcedfab.ipng@69706e6720323030352d30312d31340a.nosense.org><alpine.DEB.1.10.0903261049210.25843@uplift. swm.pp.s e><D83105B2AC38794CB78ADA2959F2C44F02EA2594@S4DE9JSAACY.ost.t-com.de><alpine.DEB.1.10.0903261752110.25843@uplift.swm.pp.se><20090328200557.16d30bd9.ipng@69706e6720323030352d30312d31340a.nosense.org><49CE6126.6080609@sneep.n! et><35815C929B41D2479A224FE098A27227070BEB0C@ecamlmw720.eamcs.ericsson.se> <20090330201805.d06e859f.ipng@69706e6720323030352d30312d3 1340a.nosens e.org> <7582BC68E4994F4ABF0BD4723975C3FA0DA1B731@crexc41p> <B00EDD615E3C5344B0FFCBA910CF7E1D06D08DED@xmb-rtp-20e.amer.cisco.com>
X-Mailer: Apple Mail (2.930.3)
Return-Path: mbaugher@cisco.com
X-OriginalArrivalTime: 30 Mar 2009 21:15:39.0459 (UTC) FILETIME=[AD13D930:01C9B17C]


On Mar 30, 2009, at 1:00 PM, Hemant Singh (shemant) wrote:

> Barbara,
>
> What initial cable standards deployment are you talking about where
> clients in the home in cable modems or hosts behind the modems could
> talk directly to another cable modem in a neighboring home?  For  
> over 10

What she says is true but it was a long time ago, in my experience.  I
remember @home sending an advisory to its customers in the 90's advising
them to change Windows 95 settings so their neighbors would not
be able to view their shared folders.

Mark

> years, in docsis networks since docsis 1.0, I don't see such  
> behavior on
> a routed CMTS - this thread is also focused on routed networks because
> at the DSL first hop IPv6 router, we have a routed network.  Also,  
> what
> you have said below about security or privacy was something that I  
> sent
> already on 03/26.  This is what I had said.
>
> "At this point I would like you all to see this text below that I and
> Wes wrote in an expired draft of
> draft-wbeebee-on-link-and-off-link-determination-01.txt.
> [3.  Router Models
>
>   The Redirect Clarifications section clarifies RFC 4861 [ND] host and
>   router behavior for an aggregation router deployment.
>
>   The Aggregation Router Deployment Model section presents a possible
>   aggregation router deployment model for IPv6 and discusses its
>   properties with respect to ND.  Aggregation routers can service more
>   than 100,000 subscribers.  Due to scaling considerations, any NS for
>   global address resolution from any host to any other host should not
>   reach the aggregation router.
>
> 3.1.  Aggregation Router Deployment Model
>
>   A property of routed aggregation networks is that hosts cannot
>   directly communicate with each other even if they share the same
>   prefix.  Physical connectivity between the aggregation router and  
> the
>   modems prevents hosts behind modems to communicate directly with  
> each
>   other.  Hosts send their traffic to aggregation router.  This design
>   is motivated by scaling and security considerations.  If every host
>   could receive all traffic from every other host, then the
>   subscriber's privacy would be violated and the amount of bandwidth
>   available for each subscriber would be very small.  That is why  
> hosts
>   communicate between each other through the aggregation router, which
>   is also the IPv6 first-hop router.
>
>   For scaling reasons, any NS to resolve any address other than that  
> of
>   the default router should not reach the aggregation router.
>
>
>                           +-----+
>                           |     |
>                           |Aggre+----(Rtr CPE)----Host1
>            Core----WAN----+gator|
>                           | Rtr |
>                           |     +----(Br CPE)----(Cust Rtr)----Host2
>                           +-----+
>
>                                 Figure 1.
>
>   In the figure above, the customer premises equipment (CPE) is  
> managed
>   by the ISP and is deployed behind an aggregation router that is an
>   IPv6 first-hop router and also a DHCPv6 relay agent.  IPv6 CPEs are
>   either IPv6 routers (Rtr CPE) or IPv6 bridges (Br CPE).  If the
>   customer premises uses a bridge CPE, then a router (Cust Rtr) is
>   needed.  All hosts reside behind a router CPE or a customer router.
>
>   No NS to resolve any address other than that of the default router
>
>
>
> Singh & Beebee            Expires July 4, 2008                   
> [Page 7]
>
>
> Internet-Draft          ND On-link Determination            January  
> 2008
>
>
>   will reach the aggregation router from any device on the customer
>   side of the aggregator.  CPEs do not communicate with each other in
>   this deployment model since a CPE does not run any applications that
>   need to communicate with other CPEs.  Hosts do communicate with each
>   other, but every host is off-link to any other host on the
>   aggregation router.]
>
> Hemant
>
>
> -----Original Message-----
> From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On
> Behalf Of Stark, Barbara
> Sent: Monday, March 30, 2009 10:08 AM
> To: Mark Smith; Alan Kavanagh
> Cc: Alastair Johnson; Mikael Abrahamsson; Olaf.Bonness@telekom.de;
> v6ops@ops.ietf.org
> Subject: RE: AW: draft-wbeebee-ipv6-cpe-router-04 comments
>
> My remembrance of why SPs aren't keen to localize routing is quite
> different.
> Originally, cable operators had neighbors all on the same Ethernet
> network. Neighbors were able to discover each other's computers and
> printers (this was before routers were common), and sometimes sniff  
> each
> other's traffic. This was considered a bad thing, from a customer
> security and privacy standpoint. Telco providers decided that they did
> not want to it this way, and effectively made Ethernet connections  
> from
> customers "point-to-point" to an element in the access network.
>
> Today, the access network elements are able to detect a lot of malware
> traffic (especially DDoS attacks), and disconnect customers that are
> infected with malware that presents a security / privacy /
> performance-impacting risk to others. Unfortunately, this is not an
> infrequent occurrence. If customer traffic were somehow able to bypass
> these network elements, it would open up neighbors to attacks by
> infected neighbors. That would be a very bad thing.
>
> Furthermore, in general, there just isn't that much neighbor-to- 
> neighbor
> communication, that would make the savings outweigh the cost of
> implementation. The only neighbor my home trades a lot of traffic with
> (my kids and their kids, gaming) is on a separate network, since we  
> use
> different service providers.
>
> Lack of cost justification and security concerns are the reasons why  
> SPs
> are unlikely to localize traffic within the access network, for  
> general
> consumers.
> Barbara