Re: [fun] HOMENET working group proposal

[Jari Arkko <jari.arkko@piuha.net>]

Fernando,

First off, I'm switching the reply headers to fun@ietf.org now, deleting 
the old homegate list from this discussion.

Secondly, I would like to explain the motivation behind focusing this 
work on IPv6. Its not so much about IPv6 being different (though I hope 
it is in some respects). The reason why I want this working group to 
focus on IPv6 is that I don't think new IETF work would have much effect 
on IPv4 home network architecture. Whereas I think we have a good chance 
of having an effect in the IPv6 case, given that there is not much 
deployed base yet in home routers, consumer ISPs, etc.

Finally, I don't think we need to take a black-and-white approach to 
discussing the end-to-end model. Obviously we know about the V6OPS 
simple security work. Of course there are firewalls in IPv6, restricting 
incoming traffic. That being said, I think the right architecture for 
IPv6 home networks is that incoming traffic is restricted *by policy* on 
a per-need basis, not by an addressing design that forever prevents us 
from allowing specific incoming protocols. This is what we mean by 
architecture specification from this working group. Practical network 
design that does the right thing and lets people do what they want -- 
not a requirement to open your network up for anything.

Jari

Fernando Gont kirjoitti:
> Hi, Jari,
>
> My high level comment/question is: the proposed charter seems to stress
> that IPv6 is the driver behind this potential wg effort... however, Ie
> think that this deserves more discussion -- it's not clear to me why/how
> typical IPv6 home networks would be much different from their IPv4
> counterparts.
>
> Bellow you'll find some comments/questions about the proposed charter.
> They are not an argument against or in favour of the creation of the
> aforementioned wg, but rather comments and/or requests for clarification...
>
> On 06/29/2011 05:47 AM, Jari Arkko wrote:
> [....]
>   
>> o Service providers are deploying IPv6, and support for IPv6 is
>> increasingly available in home gateway devices. While IPv6 resembles
>> IPv4 in many ways, it changes address allocation principles and allows
>> direct IP addressability and routing to devices in the home from the
>> Internet. This is a promising area in IPv6 that has proved challenging
>> in IPv4 with the proliferation of NAT.
>>     
>
> NAT devices involve two related but different issues:
> * address translation
> * an implicit "allow only return traffic" firewall-like functionality
>
> One would hope/expect that the former will be gone with IPv6. However, I
> don't think the latter will. As a result, even when you could "address"
> nodes that belong to the "home network", you probably won't be able to
> get your packets to them, unless those nodes initiated the communication
> instance.
>
> For instance (and of the top of my head), this functionality is even
> proposed in the "simple security" requirements that had been produced by
> v6ops.
>
>
>   
>> o End-to-end communication is both an opportunity and a concern as it
>> enables new applications but also exposes nodes in the internal
>> networks to receipt of unwanted traffic from the Internet. Firewalls
>> that restrict incoming connections may be used to prevent exposure,
>> however, this reduces the efficacy of end-to-end connectivity that
>> IPv6 has the potential to restore.
>>     
>
> I personally consider this property of "end-to-end connectivity" as
> "gone". -- among other reasons, because it would require a change of
> mindset. I'm more of the idea that people will replicate the
> architecture of their IPv4 networks with IPv6, in which end-systems are
> not reachable from the public Internet.
>
> Thanks!
>