Re: [v6ops] Fwd: I-D Action:draft-ietf-v6ops-cpe-simple-security-15.txt

[Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>]

Hi Fred,

I'm really quite concerned about this new text,

REC-13: By DEFAULT, Internet gateways SHOULD, automatically download
   and install software updates for extending IPv6 simple security for
   support of future standard upper layer transports and extension
   headers.

in particular the automatic install, as I don't think the
consequences of automatically updating the firmware "behind the
customers back" have been fully considered. 

If there are any failures with this mechanism at all, the customer
will most likely be calling the ISP, not the product vendor, despite the
vendor being in control of and responsible for when this new firmware is
deployed. It will appear to the customer that the ISP's service has
failed. As an update is likely to be pushed out to many CPE at once,
that could result in floods of 100s, 1000s etc. of unexpected calls to
the ISP's helpdesk moments after the update occurs. It could also mean
that updates occur in the middle of when the ISP's services are most
used due to differing time zones between when the vendor pushes new
firmware out verses and when customers are most commonly using the
Internet services.  In this scenario the ISP should be in control of
when these updates are made available.

Following the model used by vendors of desktop OSes these days, it
would be better if when updates were pushed out, the customer was
alerted to an update being available, and the customer had to somehow
manually trigger the update, to avoid disrupting services. 

I think it'd probably be better to make only a passing comment about
keeping the firmware up to date, avoiding it being a specific SHOULD
recommendation, without details, in this document. The Broadband Forum,
with mechanisms such as TR-69, seem to be more thoroughly considering
these issues.

Regards,
Mark.



On Tue, 12 Oct 2010 11:36:09 -0700
Fred Baker <fred@cisco.com> wrote:

> This is a quick consensus check. The CPE Simple Security document is about to complete IESG review, and has gone through four revisions in the process of IETF Last Call and IESG review. I'd like to the working group to quickly ratify (or not) the changes that have been made and the current text.
> 
>     ftp://ftpeng.cisco.com/fred/v6ops/draft-ietf-v6ops-cpe-simple-security-11-15.html
>     http://www.ietf.org/internet-drafts/draft-ietf-v6ops-cpe-simple-security-15.txt
>     http://datatracker.ietf.org/doc/draft-ietf-v6ops-cpe-simple-security
> 
> If you have any comments, please make them by the weekend. Silence will be presumed to be consent.
> 
> Begin forwarded message:
> 
> > From: Internet-Drafts@ietf.org
> > Date: October 12, 2010 11:00:01 AM PDT
> > To: i-d-announce@ietf.org
> > Cc: v6ops@ietf.org
> > Subject: [v6ops] I-D Action:draft-ietf-v6ops-cpe-simple-security-15.txt
> > 
> > A New Internet-Draft is available from the on-line Internet-Drafts directories.
> > This draft is a work item of the IPv6 Operations Working Group of the IETF.
> > 
> > 
> > 	Title           : Recommended Simple Security Capabilities in Customer Premises Equipment for Providing Residential IPv6 Internet Service
> > 	Author(s)       : J. Woodyatt
> > 	Filename        : draft-ietf-v6ops-cpe-simple-security-15.txt
> > 	Pages           : 35
> > 	Date            : 2010-10-12
> > 
> > This document identifies a set of recommendations for the makers of
> > devices describing how to provide for "simple security" capabilities
> > at the perimeter of local-area IPv6 networks in Internet-enabled
> > homes and small offices.
> > 
> > A URL for this Internet-Draft is:
> > http://www.ietf.org/internet-drafts/draft-ietf-v6ops-cpe-simple-security-15.txt
> > 
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> > 
> > Below is the data which will enable a MIME compliant mail reader
> > implementation to automatically retrieve the ASCII version of the
> > Internet-Draft.