Re: [homenet] IPv6 & firewall config in a home net
"Ray Hunter (v6ops)" <v6ops@globis.net> Thu, 05 September 2019 13:46 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D8B9120091 for <homenet@ietfa.amsl.com>; Thu, 5 Sep 2019 06:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxj2QiQOAQlF for <homenet@ietfa.amsl.com>; Thu, 5 Sep 2019 06:45:58 -0700 (PDT)
Received: from globis01.globis.net (mail.globis.net [IPv6:2001:470:1f15:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 6AAAF120026 for <homenet@ietf.org>; Thu, 5 Sep 2019 06:45:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id AD76E400B2; Thu, 5 Sep 2019 15:45:57 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sjFmyfLwEBRO; Thu, 5 Sep 2019 15:45:54 +0200 (CEST)
Received: from MacBook-Pro-3.local (h9041.upc-h.chello.nl [62.194.9.41]) (Authenticated sender: v6ops@globis.net) by globis01.globis.net (Postfix) with ESMTPA id 10107400AD; Thu, 5 Sep 2019 15:45:54 +0200 (CEST)
To: mal.hubert@bt.com
Cc: homenet@ietf.org
References: <ca32dd0fca31411588917d55556e2a91@rew09926dag07b.domain1.systemhost.net>
From: "Ray Hunter (v6ops)" <v6ops@globis.net>
Message-ID: <8aab1064-9782-d5dd-e2db-41a5248b5c37@globis.net>
Date: Thu, 05 Sep 2019 15:45:52 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.18
MIME-Version: 1.0
In-Reply-To: <ca32dd0fca31411588917d55556e2a91@rew09926dag07b.domain1.systemhost.net>
Content-Type: multipart/alternative; boundary="------------4AA36883610C55585735F066"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/kXwRXkCE43IGU2VGPn7MHZKsoJ0>
Subject: Re: [homenet] IPv6 & firewall config in a home net
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Sep 2019 13:46:02 -0000
mal.hubert@bt.com wrote on 02/09/2019 17:55: > > Hey, > > Mal here. IETF attendee since 2012 ;) > > I have a home networking question with respect to IPv6 standards, I’m > hoping to use you as a sounding board first before I take it to v6ops. > > The scenario here is a home / soho network situation where the user > wants to host a service, lets say its a webserver, but really could be > any hosted application, importantly using IPv6. The router is setup to > use SLAAC only. > > The ISP offers IPv6 GUA addressing in a non-stable manor, its "sticky" > but at some point in the future it might change (BNG reboot for example), > IMHO Expected behavior. Many European data protection people consider an IP(v6) address to be privacy-sensitive personal data. That will likely mean regular renumbering of IA PD by ISP's as the norm rather than the exception. > > so the user will use DynDNS provider to provide a stable name for > their service, this sounds OK so far. > External users should also be using a name rather than a (time variant) IPv6 address. Please be so kind as to review our draft https://tools.ietf.org/html/draft-ietf-homenet-front-end-naming-delegation-08 [Hopefully a new version will be forthcoming soon] This is precisely one of our use-cases. > The user has to allow the webserver port, 443 in their router GUI > firewall to allow the traffic in, sounds simple enough. Importantly it > should be to that webserver device only. > > Now the tricky part…. > > Since in this scenario the webserver device is using privacy > extensions, it has a bunch of IPv6 GUA addresses and no EUI-64 and > > - It has Temporary addressing (which will regularly change) > > - It has a "Permanent" address (which is the one the webserver will > want to use) > The webserver should not be using privacy extensions for inbound sessions. It really should be using https://tools.ietf.org/html/rfc7217 > > Does this sound reasonable and make sense so far ? Cool. > > In the router GUI the user is presented with a list of "devices" for > which the router can open up TCP 443 in the firewall. > > It is reasonable to assume the user does not want to type in the > Permanent IPv6 address of the device, as it is poor CX and anyway it > will change in the future (possibly due to a network change / BNG > restart etc as mentioned) > Correct. > > Current routers on the market I have come across have either: > > 1. Open the port to the current temporary address only which means > that inbound connections on the port usually fails right away (if > the webserver is not listening on that address) – or fail after > the temporary address changes. > 2. Opens the port to the correct address (by chance) > 1. - But then fails at some point in the future when the network > prefix changes (as router drops the rule when the prefix changes). > 3. Opens the port to some or ALL addresses currently (& sometimes > historically) associated with the mac address of the device (not > great for security – spoofing? ) > 1. But even that sometimes excludes the permanent address > 4. Opens the port to all addresses on LAN (not great for security at all) > > * Basically the routers firewall config gui doesn’t know reliably > which device address is the permanent one. > > * Should there exist a mechanism to signal to the router or the > router can accurately learn which of the devices addresses should > be used for configuration in the firewall ? > Yes. via PCP RFC6887 et al. > > * > > > Is this a problem – have I missed something – Is it worth fixing ? > Yes. - RFC8520? although there's still a gap for policy IMHO (does a user want to accept what the manufacturer suggested) - Yes. > > Thoughts: > > This is probably a strange thing for the user to do (but I have had > users trying to do it). Its usually fixed for a customer by switching > off privacy extensions / using EUI-64 so basically giving the device a > single address for the router gui to identify the device by. > I personally hope this becomes more common, to avoid the need for NAT, rendezvous points, dependence on central certificate instances etc. > > Mal > > > > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet -- regards, RayH <https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>
- [homenet] IPv6 & firewall config in a home net mal.hubert
- Re: [homenet] IPv6 & firewall config in a home net Ted Lemon
- Re: [homenet] IPv6 & firewall config in a home net Michael Richardson
- Re: [homenet] IPv6 & firewall config in a home net Michael Richardson
- Re: [homenet] IPv6 & firewall config in a home net Bob Hinden
- Re: [homenet] IPv6 & firewall config in a home net Juliusz Chroboczek
- Re: [homenet] IPv6 & firewall config in a home net Ray Hunter (v6ops)
- Re: [homenet] IPv6 & firewall config in a home net Stephen Farrell
- Re: [homenet] IPv6 & firewall config in a home net Ted Lemon
- Re: [homenet] IPv6 & firewall config in a home net Ray Hunter (v6ops)
- Re: [homenet] IPv6 & firewall config in a home net Mikael Abrahamsson
- Re: [homenet] IPv6 & firewall config in a home net JORDI PALET MARTINEZ
- Re: [homenet] IPv6 & firewall config in a home net Michael Richardson
- Re: [homenet] IPv6 & firewall config in a home net Michael Richardson
- Re: [homenet] IPv6 & firewall config in a home net Ted Lemon
- Re: [homenet] IPv6 & firewall config in a home net Ray Hunter (v6ops)