Re: [dhcwg] DHCP Option for CableLabs Client Configuration

Erik...inline please....

> >2. Some MSO's may decide to deploy DNS on non standard ports.  Its a
> >flexibility issue.
> >3. Not using a standard port makes it slightly less prone to attack by
> >script kiddies.
>
>#2 doesn't state why folks see this need. One possibility is
>definitely walled gardens and in general using a different DNS
>tree than the rest of us. I've yet to see any other concrete reason
>for this (and I don't buy flexibility for its own sake).

Rich Woundy has very thoughtfully addressed the "walled garden" issue from 
a service providers point of view.

I have to disagree with you on the flexibility issue.   Hundreds of 
thousands, probably millions, of these "headless" EMTA devices will 
deployed to the field in the next few years.  A conservative approach 
dictates that it should be possible to remotely configure any device 
parameter that might reasonably be expected to require configuration.   We 
feel the protocol port numbers fall into this category.

Remote software upgrades, recall of devices, or a truck roll to the 
customers premises are very expensive and to be avoided.

>And #3 is just security through obscurity which we IMHO have no
>business promoting in our standards.

Yes, this is a very weak argument.  I don't want to leave you with the 
impression that non default port numbers are a key ingredient of the 
PacketCable security architecture (strictly speaking, this is not 
considered part of PacketCable security).  PacketCable makes extensive use 
of Kerberos to authenticate MTAs to the provider network, and IPSec to 
secure traffic between PacketCable components.  If you're curious, 
see  http://www.packetcable.com/specs/PKT-SP-SEC-I05-020116.pdf.

Cheers,

>   Erik

--

Paul Duffy
Cisco Systems, Inc.
paduffy@cisco.com

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg