Re: [homenet] Comments requested for draft CER-ID

[Michael Kloberdans <M.Kloberdans@cablelabs.com>]

Markus,
All home routers should know their role; CER or IR.  The status of CER
places the burden of providing the firewall and NAPT as it was determined
to be the edge router.  The interior routers need to understand their role
and disable their firewall and NAPT abilities.  This is why the CER-ID is
a numeric value (indicating CER status) or a double colon (indicating IR
status). 
 
In the case of the eRouter (combined cable modem and
router/switch/wireless), it performs a /48 check between the IA_NA and the
IA_PD ranges.  If the ISP sends a double colon or null in the CER-ID ORO,
AND if the IA_NA is in a different /48 than the given IA_PD, the eRouter
becomes the CER.  It must now declare to the IRs that it is the CER.  A
directly connected IR will see the CER value in the ORO and, in the
absence of another controlling protocol, disable its firewall and NAPT
functions.

Having all IRs understand their role is allows consistent behaviors.


CER-ID can be any numeric value.  A simple number can act as a flag.  An
IPv6 address is urged because it allows communications between the CER and
the IRs, and may be used in the cable industry.

The nice advantage of the double colon is for network literate people like
yourself to manually determine where the boundary between public and
private network will be.  If you didn¹t want the Cable or DSL modem to be
the CER, manually give them a Œ::² and assign a CER-ID to a downstream
router.  Thus, CER-ID allows for automatic detection of the CER and
uniform behavior of IRs within the home and also a way to design your
network the way you desire.

Comments?


Michael Kloberdans
Lead Architect / Home Networking     CableLabs®

858 Coal Creek Circle.  Louisville, CO. 80027
303-661-3813 (v)




On 10/27/14, 7:20 AM, "Markus Stenberg" <markus.stenberg@iki.fi> wrote:

>On 27.10.2014, at 15.03, Michael Kloberdans <m.kloberdans@cablelabs.com>
>wrote:
>> Behaviors resulting from the knowledge of the CER are left to other
>>implementations.  One implementation detects the CER and disables
>>firewall, NAPT and allocates PD requests for all Internal Routers
>>(non-CER), but this is just one example of applying behaviors based on
>>knowing where the CER lies.
>
>First, draft comments..
>
>Section 2 - why clients SHOULD send the ORO for this at all? Perhaps it
>is MAY, just server responding with one.  Why use WAN _or_ unique LAN
>interface address? Inconsistency is not a plus. Also, it is not obvious
>to me what to do if  it has one LAN interface but multiple addresses..
>
>Then, non-draft comments ..
>
>I am not sure evil bit (that ISP must obviously be nice enough to set,
>i.e. cer_id ::) is really what I would trust my firewalling decisions on.
>In Cablelabs context this is especially puzzling, as you have ISP-facing
>holes (with weird antenna-style bits in them), and home facing holes
>(RJ45 or wireless). Why is this autodetection needed at all there? Or is
>it just so ISP _can_ turn off the firewall if they want to, or government
>wants to force them to do so?
>
>Cheers,
>
>-Markus
>