IETF Logo Mail Archive

Re: [homenet] Comments requested for draft CER-ID

Michael Kloberdans <M.Kloberdans@cablelabs.com> Mon, 27 October 2014 15:59 UTC

Return-Path: <M.Kloberdans@cablelabs.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D77B1A88DD for <homenet@ietfa.amsl.com>; Mon, 27 Oct 2014 08:59:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.226
X-Spam-Level:
X-Spam-Status: No, score=0.226 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uyAMA9GoUqPA for <homenet@ietfa.amsl.com>; Mon, 27 Oct 2014 08:59:38 -0700 (PDT)
Received: from ondar.cablelabs.com (ondar.cablelabs.com [192.160.73.61]) by ietfa.amsl.com (Postfix) with ESMTP id 52FF31A00F6 for <homenet@ietf.org>; Mon, 27 Oct 2014 08:59:38 -0700 (PDT)
Received: from kyzyl.cablelabs.com (kyzyl [10.253.0.7]) by ondar.cablelabs.com (8.14.7/8.14.7) with ESMTP id s9RFxZDY005931; Mon, 27 Oct 2014 09:59:35 -0600
Received: from exchange.cablelabs.com (10.5.0.19) by kyzyl.cablelabs.com (F-Secure/fsigk_smtp/407/kyzyl.cablelabs.com); Mon, 27 Oct 2014 09:59:34 -0600 (MDT)
X-Virus-Status: clean(F-Secure/fsigk_smtp/407/kyzyl.cablelabs.com)
Received: from EXCHANGE.cablelabs.com ([::1]) by EXCHANGE.cablelabs.com ([::1]) with mapi id 14.03.0195.001; Mon, 27 Oct 2014 09:59:35 -0600
From: Michael Kloberdans <M.Kloberdans@cablelabs.com>
To: Ola Thoresen <olat@powertech.no>, "homenet@ietf.org" <homenet@ietf.org>
Thread-Topic: [homenet] Comments requested for draft CER-ID
Thread-Index: AQHP8f8ABnMT2tvAoEOB5hY9+dInug==
Date: Mon, 27 Oct 2014 15:59:34 +0000
Message-ID: <D073C6B4.D381%m.kloberdans@cablelabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.4.2.9]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <F0D8A5A74BD56A44B688EF84DBDF226C@cablelabs.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/homenet/wG2GxvvL_c8SW3x_O96Ze1dw8ho
Subject: Re: [homenet] Comments requested for draft CER-ID
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 15:59:39 -0000

Ola,
I¹d like to better understand your comment about a misconfigured router
being a security issue.

In the eRouter implementation, the CER is automatically determined.  The
only way a router would be misconfigured is if the home owner or someone
else with local access manually changes the CER.  Perhaps I¹m missing
something. Please expound - I¹m grateful for all comments.

Regards,


Michael Kloberdans
Lead Architect / Home Networking     CableLabs®

858 Coal Creek Circle.  Louisville, CO. 80027
303-661-3813 (v)




On 10/27/14, 9:00 AM, "Ola Thoresen" <olat@powertech.no> wrote:

>> On 27.10.2014, at 16.17, Michael Kloberdans <m.kloberdans@cablelabs.com>
>> wrote:
>> > All home routers should know their role; CER or IR.  The status of CER
>> > places the burden of providing the firewall and NAPT as it was
>>determined
>> > to be the edge router.  The interior routers need to understand their
>>role
>> > and disable their firewall and NAPT abilities.  This is why the
>>CER-ID is
>> > a numeric value (indicating CER status) or a double colon (indicating
>>IR
>> > status).
>> 
>> I agree with that. However, I disagree with how you are doing it.
>> 
>> > In the case of the eRouter (combined cable modem and
>> > router/switch/wireless), it performs a /48 check between the IA_NA
>>and the
>> > IA_PD ranges.  If the ISP sends a double colon or null in the CER-ID
>>ORO,
>> > AND if the IA_NA is in a different /48 than the given IA_PD, the
>>eRouter
>> > becomes the CER.  It must now declare to the IRs that it is the CER.
>>A
>> > directly connected IR will see the CER value in the ORO and, in the
>> > absence of another controlling protocol, disable its firewall and NAPT
>> > functions.
>> 
>> Why cannot it determine it is CER by bits coming from particular type of
>> plug? Cable modem plug looks different from ethernet/wireless? It would
>>be
>> much more secure that way.
>> 
>
>
>But that would not work if the router only has ethernet-ports - which is
>probably the case if the customer has various kinds of FTTH (many of
>these will use Fast/Gig-ethernet over copper for the last meters in to
>the CPE).
>
>However I do agree that the suggested solution seems sub optimal.  It is
>way to easy for a misconfigured router to disable all local security (IE.
>turning off firewalling) without the network owners knowledge.
>
>/Ola (T)
>
>_______________________________________________
>homenet mailing list
>homenet@ietf.org
>https://www.ietf.org/mailman/listinfo/homenet

v2.23.0 | Report a Bug | By Email