Re: [homenet] Comments requested for draft CER-ID
Michael Kloberdans <M.Kloberdans@cablelabs.com> Mon, 27 October 2014 14:17 UTC
Return-Path: <M.Kloberdans@cablelabs.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5B01ACDA5 for <homenet@ietfa.amsl.com>; Mon, 27 Oct 2014 07:17:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.226
X-Spam-Level:
X-Spam-Status: No, score=0.226 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FEQxAYfbqlvo for <homenet@ietfa.amsl.com>; Mon, 27 Oct 2014 07:17:48 -0700 (PDT)
Received: from ondar.cablelabs.com (ondar.cablelabs.com [192.160.73.61]) by ietfa.amsl.com (Postfix) with ESMTP id 2CA521ACDA7 for <homenet@ietf.org>; Mon, 27 Oct 2014 07:17:48 -0700 (PDT)
Received: from kyzyl.cablelabs.com (kyzyl [10.253.0.7]) by ondar.cablelabs.com (8.14.7/8.14.7) with ESMTP id s9REHlnB025496; Mon, 27 Oct 2014 08:17:47 -0600
Received: from exchange.cablelabs.com (10.5.0.19) by kyzyl.cablelabs.com (F-Secure/fsigk_smtp/407/kyzyl.cablelabs.com); Mon, 27 Oct 2014 08:17:47 -0600 (MDT)
X-Virus-Status: clean(F-Secure/fsigk_smtp/407/kyzyl.cablelabs.com)
Received: from EXCHANGE.cablelabs.com ([::1]) by EXCHANGE.cablelabs.com ([::1]) with mapi id 14.03.0195.001; Mon, 27 Oct 2014 08:17:46 -0600
From: Michael Kloberdans <M.Kloberdans@cablelabs.com>
To: Markus Stenberg <markus.stenberg@iki.fi>
Thread-Topic: [homenet] Comments requested for draft CER-ID
Thread-Index: AQHP8eZyBnMT2tvAoEOB5hY9+dInupxEUmmA//+rVgA=
Date: Mon, 27 Oct 2014 14:17:46 +0000
Message-ID: <D073AA38.D326%m.kloberdans@cablelabs.com>
References: <D0739ED2.D31D%m.kloberdans@cablelabs.com> <A06B0EA0-5817-4584-9010-776FC1CE1C90@iki.fi>
In-Reply-To: <A06B0EA0-5817-4584-9010-776FC1CE1C90@iki.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.4.2.9]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <69FE9A69D662B54DB49547966B77E433@cablelabs.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/homenet/L1rjVQANHreykBc41e9jnh9Gdgg
Cc: "homenet@ietf.org" <homenet@ietf.org>
Subject: Re: [homenet] Comments requested for draft CER-ID
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 14:17:51 -0000
Markus, All home routers should know their role; CER or IR. The status of CER places the burden of providing the firewall and NAPT as it was determined to be the edge router. The interior routers need to understand their role and disable their firewall and NAPT abilities. This is why the CER-ID is a numeric value (indicating CER status) or a double colon (indicating IR status). In the case of the eRouter (combined cable modem and router/switch/wireless), it performs a /48 check between the IA_NA and the IA_PD ranges. If the ISP sends a double colon or null in the CER-ID ORO, AND if the IA_NA is in a different /48 than the given IA_PD, the eRouter becomes the CER. It must now declare to the IRs that it is the CER. A directly connected IR will see the CER value in the ORO and, in the absence of another controlling protocol, disable its firewall and NAPT functions. Having all IRs understand their role is allows consistent behaviors. CER-ID can be any numeric value. A simple number can act as a flag. An IPv6 address is urged because it allows communications between the CER and the IRs, and may be used in the cable industry. The nice advantage of the double colon is for network literate people like yourself to manually determine where the boundary between public and private network will be. If you didn¹t want the Cable or DSL modem to be the CER, manually give them a Œ::² and assign a CER-ID to a downstream router. Thus, CER-ID allows for automatic detection of the CER and uniform behavior of IRs within the home and also a way to design your network the way you desire. Comments? Michael Kloberdans Lead Architect / Home Networking CableLabs® 858 Coal Creek Circle. Louisville, CO. 80027 303-661-3813 (v) On 10/27/14, 7:20 AM, "Markus Stenberg" <markus.stenberg@iki.fi> wrote: >On 27.10.2014, at 15.03, Michael Kloberdans <m.kloberdans@cablelabs.com> >wrote: >> Behaviors resulting from the knowledge of the CER are left to other >>implementations. One implementation detects the CER and disables >>firewall, NAPT and allocates PD requests for all Internal Routers >>(non-CER), but this is just one example of applying behaviors based on >>knowing where the CER lies. > >First, draft comments.. > >Section 2 - why clients SHOULD send the ORO for this at all? Perhaps it >is MAY, just server responding with one. Why use WAN _or_ unique LAN >interface address? Inconsistency is not a plus. Also, it is not obvious >to me what to do if it has one LAN interface but multiple addresses.. > >Then, non-draft comments .. > >I am not sure evil bit (that ISP must obviously be nice enough to set, >i.e. cer_id ::) is really what I would trust my firewalling decisions on. >In Cablelabs context this is especially puzzling, as you have ISP-facing >holes (with weird antenna-style bits in them), and home facing holes >(RJ45 or wireless). Why is this autodetection needed at all there? Or is >it just so ISP _can_ turn off the firewall if they want to, or government >wants to force them to do so? > >Cheers, > >-Markus >
- [homenet] Comments requested for draft CER-ID Michael Kloberdans
- Re: [homenet] Comments requested for draft CER-ID Markus Stenberg
- Re: [homenet] Comments requested for draft CER-ID Michael Kloberdans
- Re: [homenet] Comments requested for draft CER-ID Markus Stenberg
- Re: [homenet] Comments requested for draft CER-ID Ola Thoresen
- Re: [homenet] Comments requested for draft CER-ID Michael Kloberdans
- Re: [homenet] Comments requested for draft CER-ID Michael Kloberdans
- Re: [homenet] Comments requested for draft CER-ID STARK, BARBARA H
- Re: [homenet] Comments requested for draft CER-ID David R Oran
- Re: [homenet] Comments requested for draft CER-ID Ola Thoresen
- Re: [homenet] Comments requested for draft CER-ID Ray Hunter
- Re: [homenet] Comments requested for draft CER-ID Michael Richardson
- Re: [homenet] Comments requested for draft CER-ID Mikael Abrahamsson
- Re: [homenet] Comments requested for draft CER-ID Michael Kloberdans