Re: [homenet] Comments requested for draft CER-ID

David R Oran wrote:
> Silly question:
>
> Isn’t the border defined by a link and not a router? What if you have uplinks to two different ISPs on the same router?
> This seems to assume there’s only one border link on a router, and that router connects to only one external entity.

Indeed.

The draft states

 >If the device has more than one LAN interface,
 >it SHOULD use the lowest Globally Unique address not assigned to 
itsWAN interface.

That would seem to me to suggest that this draft is targeted at an RFC 
7084 router.

RFC7368 (The Homenet Architecture) is explicit in section 3.2.2.3 that 
dual ISP links on one single CER are supported.

So what happens if one ISP states in a CER-ID reply that this DHCPv6 
client router is the CER, and another ISP states via the same CER-ID 
mechanism, responding from a different DHCPv6 server, that this router 
is not the CER?

I therefore think all DHCPv6 based management mechanisms are pretty much 
doomed to failure, unless they can explicitly resolve conflicting 
configuration information.

> On Oct 27, 2014, at 8:59 AM, Michael Kloberdans<M.Kloberdans@cablelabs.com>  wrote:
>
>> Ola,
>> I¹d like to better understand your comment about a misconfigured router
>> being a security issue.
>>
>> In the eRouter implementation, the CER is automatically determined.  The
>> only way a router would be misconfigured is if the home owner or someone
>> else with local access manually changes the CER.  Perhaps I¹m missing
>> something. Please expound - I¹m grateful for all comments.
>>
>> Regards,
>>
>>
>> Michael Kloberdans
>> Lead Architect / Home Networking     CableLabs®
>>
>> 858 Coal Creek Circle.  Louisville, CO. 80027
>> 303-661-3813 (v)
>>
>>
>>
>>
>> On 10/27/14, 9:00 AM, "Ola Thoresen"<olat@powertech.no>  wrote:
>>
>>>> On 27.10.2014, at 16.17, Michael Kloberdans<m.kloberdans@cablelabs.com>
>>>> wrote:
>>>>> All home routers should know their role; CER or IR.  The status of CER
>>>>> places the burden of providing the firewall and NAPT as it was
>>>> determined
>>>>> to be the edge router.  The interior routers need to understand their
>>>> role
>>>>> and disable their firewall and NAPT abilities.  This is why the
>>>> CER-ID is
>>>>> a numeric value (indicating CER status) or a double colon (indicating
>>>> IR
>>>>> status).
>>>> I agree with that. However, I disagree with how you are doing it.
>>>>
>>>>> In the case of the eRouter (combined cable modem and
>>>>> router/switch/wireless), it performs a /48 check between the IA_NA
>>>> and the
>>>>> IA_PD ranges.  If the ISP sends a double colon or null in the CER-ID
>>>> ORO,
>>>>> AND if the IA_NA is in a different /48 than the given IA_PD, the
>>>> eRouter
>>>>> becomes the CER.  It must now declare to the IRs that it is the CER.
>>>> A
>>>>> directly connected IR will see the CER value in the ORO and, in the
>>>>> absence of another controlling protocol, disable its firewall and NAPT
>>>>> functions.
>>>> Why cannot it determine it is CER by bits coming from particular type of
>>>> plug? Cable modem plug looks different from ethernet/wireless? It would
>>>> be
>>>> much more secure that way.
>>>>
>>> But that would not work if the router only has ethernet-ports - which is
>>> probably the case if the customer has various kinds of FTTH (many of
>>> these will use Fast/Gig-ethernet over copper for the last meters in to
>>> the CPE).
>>>
>>> However I do agree that the suggested solution seems sub optimal.  It is
>>> way to easy for a misconfigured router to disable all local security (IE.
>>> turning off firewalling) without the network owners knowledge.
>>>
>>> /Ola (T)
>>>
>>> _______________________________________________
>>> homenet mailing list
>>> homenet@ietf.org
>>> https://www.ietf.org/mailman/listinfo/homenet
>> _______________________________________________
>> homenet mailing list
>> homenet@ietf.org
>> https://www.ietf.org/mailman/listinfo/homenet
>
>

-- 
Regards,
RayH