IETF Logo Mail Archive

Re: [homenet] Comments requested for draft CER-ID

David R Oran <daveoran@orandom.net> Mon, 27 October 2014 18:30 UTC

Return-Path: <daveoran@orandom.net>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C880A1A9098 for <homenet@ietfa.amsl.com>; Mon, 27 Oct 2014 11:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NAe6MxrCgWxX for <homenet@ietfa.amsl.com>; Mon, 27 Oct 2014 11:30:42 -0700 (PDT)
Received: from spark.crystalorb.net (spark.crystalorb.net [IPv6:2607:fca8:1530::c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7170E1A1B55 for <homenet@ietf.org>; Mon, 27 Oct 2014 11:28:15 -0700 (PDT)
Received: from [10.86.114.90] (198-135-0-233.cisco.com [198.135.0.233]) (authenticated bits=0) by spark.crystalorb.net (8.14.3/8.14.3/Debian-9.4) with ESMTP id s9RISOVg022166 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 27 Oct 2014 11:28:29 -0700
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: David R Oran <daveoran@orandom.net>
In-Reply-To: <D073C6B4.D381%m.kloberdans@cablelabs.com>
Date: Mon, 27 Oct 2014 11:27:58 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <AB7984D6-2C19-450B-88C7-A8D3F80A3B82@orandom.net>
References: <D073C6B4.D381%m.kloberdans@cablelabs.com>
To: Michael Kloberdans <M.Kloberdans@cablelabs.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/homenet/ZTHXpMOjpaMEA_ypzr6jZEArPTQ
Cc: "homenet@ietf.org" <homenet@ietf.org>, Ola Thoresen <olat@powertech.no>
Subject: Re: [homenet] Comments requested for draft CER-ID
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 18:30:44 -0000

Silly question:

Isn’t the border defined by a link and not a router? What if you have uplinks to two different ISPs on the same router?
This seems to assume there’s only one border link on a router, and that router connects to only one external entity.

On Oct 27, 2014, at 8:59 AM, Michael Kloberdans <M.Kloberdans@cablelabs.com> wrote:

> Ola,
> I¹d like to better understand your comment about a misconfigured router
> being a security issue.
> 
> In the eRouter implementation, the CER is automatically determined.  The
> only way a router would be misconfigured is if the home owner or someone
> else with local access manually changes the CER.  Perhaps I¹m missing
> something. Please expound - I¹m grateful for all comments.
> 
> Regards,
> 
> 
> Michael Kloberdans
> Lead Architect / Home Networking     CableLabs®
> 
> 858 Coal Creek Circle.  Louisville, CO. 80027
> 303-661-3813 (v)
> 
> 
> 
> 
> On 10/27/14, 9:00 AM, "Ola Thoresen" <olat@powertech.no> wrote:
> 
>>> On 27.10.2014, at 16.17, Michael Kloberdans <m.kloberdans@cablelabs.com>
>>> wrote:
>>>> All home routers should know their role; CER or IR.  The status of CER
>>>> places the burden of providing the firewall and NAPT as it was
>>> determined
>>>> to be the edge router.  The interior routers need to understand their
>>> role
>>>> and disable their firewall and NAPT abilities.  This is why the
>>> CER-ID is
>>>> a numeric value (indicating CER status) or a double colon (indicating
>>> IR
>>>> status).
>>> 
>>> I agree with that. However, I disagree with how you are doing it.
>>> 
>>>> In the case of the eRouter (combined cable modem and
>>>> router/switch/wireless), it performs a /48 check between the IA_NA
>>> and the
>>>> IA_PD ranges.  If the ISP sends a double colon or null in the CER-ID
>>> ORO,
>>>> AND if the IA_NA is in a different /48 than the given IA_PD, the
>>> eRouter
>>>> becomes the CER.  It must now declare to the IRs that it is the CER.
>>> A
>>>> directly connected IR will see the CER value in the ORO and, in the
>>>> absence of another controlling protocol, disable its firewall and NAPT
>>>> functions.
>>> 
>>> Why cannot it determine it is CER by bits coming from particular type of
>>> plug? Cable modem plug looks different from ethernet/wireless? It would
>>> be
>>> much more secure that way.
>>> 
>> 
>> 
>> But that would not work if the router only has ethernet-ports - which is
>> probably the case if the customer has various kinds of FTTH (many of
>> these will use Fast/Gig-ethernet over copper for the last meters in to
>> the CPE).
>> 
>> However I do agree that the suggested solution seems sub optimal.  It is
>> way to easy for a misconfigured router to disable all local security (IE.
>> turning off firewalling) without the network owners knowledge.
>> 
>> /Ola (T)
>> 
>> _______________________________________________
>> homenet mailing list
>> homenet@ietf.org
>> https://www.ietf.org/mailman/listinfo/homenet
> 
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet

v2.23.0 | Report a Bug | By Email