IETF Logo Mail Archive

Re: [homenet] IPv6 & firewall config in a home net

"Ray Hunter (v6ops)" <v6ops@globis.net> Thu, 05 September 2019 13:46 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D8B9120091 for <homenet@ietfa.amsl.com>; Thu, 5 Sep 2019 06:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxj2QiQOAQlF for <homenet@ietfa.amsl.com>; Thu, 5 Sep 2019 06:45:58 -0700 (PDT)
Received: from globis01.globis.net (mail.globis.net [IPv6:2001:470:1f15:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 6AAAF120026 for <homenet@ietf.org>; Thu, 5 Sep 2019 06:45:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id AD76E400B2; Thu, 5 Sep 2019 15:45:57 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sjFmyfLwEBRO; Thu, 5 Sep 2019 15:45:54 +0200 (CEST)
Received: from MacBook-Pro-3.local (h9041.upc-h.chello.nl [62.194.9.41]) (Authenticated sender: v6ops@globis.net) by globis01.globis.net (Postfix) with ESMTPA id 10107400AD; Thu, 5 Sep 2019 15:45:54 +0200 (CEST)
To: mal.hubert@bt.com
Cc: homenet@ietf.org
References: <ca32dd0fca31411588917d55556e2a91@rew09926dag07b.domain1.systemhost.net>
From: "Ray Hunter (v6ops)" <v6ops@globis.net>
Message-ID: <8aab1064-9782-d5dd-e2db-41a5248b5c37@globis.net>
Date: Thu, 05 Sep 2019 15:45:52 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.18
MIME-Version: 1.0
In-Reply-To: <ca32dd0fca31411588917d55556e2a91@rew09926dag07b.domain1.systemhost.net>
Content-Type: multipart/alternative; boundary="------------4AA36883610C55585735F066"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/kXwRXkCE43IGU2VGPn7MHZKsoJ0>
Subject: Re: [homenet] IPv6 & firewall config in a home net
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Sep 2019 13:46:02 -0000


mal.hubert@bt.com wrote on 02/09/2019 17:55:
>
> Hey,
>
> Mal here. IETF attendee since 2012 ;)
>
> I have a home networking question with respect to IPv6 standards, I’m 
> hoping to use you as a sounding board first before I take it to v6ops.
>
> The scenario here is a home / soho network situation where the user 
> wants to host a service, lets say its a webserver, but really could be 
> any hosted application, importantly using IPv6. The router is setup to 
> use SLAAC only.
>
> The ISP offers IPv6 GUA addressing in a non-stable manor, its "sticky" 
> but at some point in the future it might change (BNG reboot for example),
>
IMHO Expected behavior. Many European data protection people consider an 
IP(v6) address to be privacy-sensitive personal data.
That will likely mean regular renumbering of IA PD by ISP's as the norm 
rather than the exception.
>
> so the user will use DynDNS provider to provide a stable name for 
> their service, this sounds OK so far.
>
External users should also be using a name rather than a (time variant) 
IPv6 address.

Please be so kind as to review our draft 
https://tools.ietf.org/html/draft-ietf-homenet-front-end-naming-delegation-08

[Hopefully a new version will be forthcoming soon]

This is precisely one of our use-cases.

> The user has to allow the webserver port, 443 in their router GUI 
> firewall to allow the traffic in, sounds simple enough. Importantly it 
> should be to that webserver device only.
>
> Now the tricky part….
>
> Since in this scenario the webserver device is using privacy 
> extensions, it has a bunch of IPv6 GUA addresses and no EUI-64 and
>
> - It has Temporary addressing (which will regularly change)
>
> - It has a "Permanent" address (which is the one the webserver will 
> want to use)
>
The webserver should not be using privacy extensions for inbound sessions.

It really should be using https://tools.ietf.org/html/rfc7217
>
> Does this sound reasonable and make sense so far ? Cool.
>
> In the router GUI the user is presented with a list of "devices" for 
> which the router can open up TCP 443 in the firewall.
>
> It is reasonable to assume the user does not want to type in the 
> Permanent IPv6 address of the device, as it is poor CX and anyway it 
> will change in the future (possibly due to a network change / BNG 
> restart etc as mentioned)
>
Correct.
>
> Current routers on the market I have come across have either:
>
>  1. Open the port to the current temporary address only which means
>     that inbound connections on the port usually fails right away (if
>     the webserver is not listening on that address) – or fail after
>     the temporary address changes.
>  2. Opens the port to the correct address (by chance)
>      1. - But then fails at some point in the future when the network
>         prefix changes (as router drops the rule when the prefix changes).
>  3. Opens the port to some or ALL addresses currently (& sometimes
>     historically) associated with the mac address of the device  (not
>     great for security – spoofing? )
>      1. But even that sometimes excludes the permanent address
>  4. Opens the port to all addresses on LAN (not great for security at all)
>
>   * Basically the routers firewall config gui doesn’t know reliably
>     which device address is the permanent one. 
>
>   * Should there exist a mechanism to signal to the router or the
>     router can accurately learn which of the devices addresses should
>     be used for configuration in the firewall ?
>
Yes. via PCP RFC6887 et al.
>
>  *
>
>
> Is this a problem – have I missed something – Is it worth fixing ?
>
Yes. - RFC8520? although there's still a gap for policy IMHO (does a 
user want to accept what the manufacturer suggested) - Yes.
>
> Thoughts:
>
> This is probably a strange thing for the user to do (but I have had 
> users trying to do it). Its usually fixed for a customer by switching 
> off privacy extensions / using EUI-64 so basically giving the device a 
> single address for the router gui to identify the device by.
>
I personally hope this becomes more common, to avoid the need for NAT, 
rendezvous points, dependence on central certificate instances etc.
>
> Mal
>
>
>
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet

-- 
regards,
RayH
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>

v2.23.0 | Report a Bug | By Email