RE: Broadband Forum liaison to IETF on IPv6 security

["Dunn, Jeffrey H." <jdunn@mitre.org>]

Hemant,

That is fine if only hosts are connected to the CM. If the CM is connected to a cheap CPE router, then the router seen the CM on one link (its default route out) and the hosts attached to it on other links. In the case where there are hosts connected to an integrated Ethernet hub and via WiFi, there will be two downstream broadcast domains in the home that cannot hear each other’s ND messages. As a result, for SLAAC to work, the cheap CPE router must have two /64 prefixes assigned to it or a /63 assigned to the CMTS virtual interface connected to the CM.

Am I missing something?

Best Regards,

Jeffrey Dunn
Info Systems Eng., Lead
MITRE Corporation.
(301) 448-6965 (mobile)

From: Hemant Singh (shemant) [mailto:shemant@cisco.com]
Sent: Thursday, November 05, 2009 7:39 PM
To: Dunn, Jeffrey H.; Fred Baker (fred); Erik Nordmark; Hesham Soliman; JINMEI Tatuya / 神明達哉; Thomas Narten; Susan Thomson (sethomso); william.allen.simpson@gmail.com
Cc: 6man-ads@tools.ietf.org; IETF IPv6 Mailing List; savi-ads@tools.ietf.org; Robin Mersh; v6ops-ads@tools.ietf.org; IPv6 Operations; SAVI Mailing List
Subject: RE: Broadband Forum liaison to IETF on IPv6 security

Could be VLAN like one has L2 VPN in the cable specifications.   But L2 VPN will limit one to  1024 max per cable line card on a  CMTS – it’s a very limited for services arch in cable and I don’t think deployed very widely.  The point is a cable modem receiver chip is built to send its upstream data only to the CMTS and likewise receive data from the CMTS – so how can two modems even talk to each other?

The link-local domain on the CMTS is also a well-defined and tied to a virtual L3 network interface that aggregates several physical cable network interfaces and all the modems.  As of Fall 2007, CableLabs in the U.S. that certifies CMTS and CM equipment has certified more than one CMTS vendor for Docsis 3.0 IPv6 with ND Proxy support on the CMTS.

I will be in Hiroshima, so if anyone would like to understand the cable and CMTS link-local model and mcast for ND in cable,  please find me – I am hanging out in 6man, v6ops, INT area and the like.

Regards,

Hemant

From: Dunn, Jeffrey H. [mailto:jdunn@mitre.org]
Sent: Thursday, November 05, 2009 6:35 PM
To: Hemant Singh (shemant); Fred Baker (fred); Erik Nordmark; Hesham Soliman; JINMEI Tatuya / 神明達哉; Thomas Narten; Susan Thomson (sethomso); william.allen.simpson@gmail.com
Cc: 6man-ads@tools.ietf.org; IETF IPv6 Mailing List; savi-ads@tools.ietf.org; Robin Mersh; v6ops-ads@tools.ietf.org; IPv6 Operations; SAVI Mailing List; Dunn, Jeffrey H.
Subject: RE: Broadband Forum liaison to IETF on IPv6 security

Colleagues,

I may be missing something, but it appears that, in the cases described, the two hosts downstream of two separate cable modems are off link to each other. This brings up the question: Do there two cable modems constitute two virtual interfaces, like two VLANs on the same physical router interface? If so, this is an architectural, rather than an implementation, question. Thoughts?

Best Regards,

Jeffrey Dunn
Info Systems Eng., Lead
MITRE Corporation.
(301) 448-6965 (mobile)